single-letter executables are not always malicious. investigate this activity with your normal incident-response process.

Techniques

T1204.002

Sample rules

Single Letter Process On Endpoint

source: splunk
technicques:
- T1204.002

Description

The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
  from datamodel=Endpoint.Processes where
  Processes.process_name IN (
    "_.exe",
    "-.exe",
    ",.exe",
    ";.exe",
    "!.exe",
    "'.exe"
    "(.exe",
    "(.exe",
    ").exe",
    ").exe",
    "@.exe",
    "&.exe",
    "#.exe",
    "%.exe",
    "`.exe",
    "^.exe",
    "+.exe",
    "=.exe",
    "~.exe",
    "$.exe",
    "0.exe",
    "1.exe",
    "2.exe",
    "3.exe",
    "4.exe",
    "5.exe",
    "6.exe",
    "7.exe",
    "8.exe",
    "9.exe",
    "a.exe",
    "b.exe",
    "c.exe",
    "d.exe",
    "e.exe",
    "f.exe",
    "g.exe",
    "h.exe",
    "i.exe",
    "j.exe",
    "k.exe",
    "l.exe",
    "m.exe",
    "N.exe",
    "o.exe",
    "p.exe",
    "q.exe",
    "r.exe",
    "s.exe",
    "t.exe",
    "u.exe",
    "v.exe",
    "w.exe",
    "x.exe",
    "y.exe",
    "z.exe",
  )
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(lastTime)`

| `security_content_ctime(firstTime)`

| `single_letter_process_on_endpoint_filter`