Techniques
Sample rules
First time seen command line argument
- source: splunk
- technicques:
- T1059.001
- T1059.003
Description
This search looks for command-line arguments that use a /c parameter to execute a command that has not previously been seen.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search [
| tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process
| `drop_dm_object_name(Processes)`
| inputlookup append=t previously_seen_cmd_line_arguments
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by process
| outputlookup previously_seen_cmd_line_arguments
| eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0)
| where newCmdLineArgument=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table process]
| `first_time_seen_command_line_argument_filter`