Techniques
Sample rules
Single Letter Process On Endpoint
- source: splunk
- technicques:
- T1204
- T1204.002
Description
The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0)
| search process_name_length=5 AND endExe=1
| table count, firstTime, lastTime, dest, user, process, process_name
| `single_letter_process_on_endpoint_filter`