LoFP LoFP / some legitimate processes may be only rarely executed in your environment. apply additional filters as needed.

Techniques

Sample rules

Detect Rare Executables

Description

The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact. The search currently identifies processes executed on fewer than 10 hosts, but this threshold can be adjusted based on the organization’s environment and risk tolerance. The search groups results by process name which can lead to blind spots if a malicious process uses a common name. To mitigate this, consider enhancing the detection logic to group by additional attributes such as process hash.

Detection logic


| tstats `security_content_summariesonly`
  dc(Processes.dest) as dc_dest
  values(Processes.dest) as dest
  values(Processes.user) as user
  min(_time) as firstTime
  max(_time) as lastTime
  latest(Processes.action) as action
  values(Processes.original_file_name) as original_file_name
  values(Processes.parent_process) as parent_process
  values(Processes.parent_process_exec) as parent_process_exec
  latest(Processes.parent_process_guid) as parent_process_guid
  latest(Processes.parent_process_id) as parent_process_id
  values(Processes.parent_process_name) as parent_process_name
  values(Processes.parent_process_path) as parent_process_path
  values(Processes.process) as process
  values(Processes.process_exec) as process_exec
  latest(Processes.process_guid) as process_guid
  values(Processes.process_hash) as process_hash
  values(Processes.process_path) as process_path
  latest(Processes.process_id) as process_id
  latest(Processes.process_integrity_level) as process_integrity_level
  latest(Processes.user_id) as user_id
  latest(Processes.vendor_product) as vendor_product
from datamodel=Endpoint.Processes
by Processes.process_name

| `drop_dm_object_name(Processes)`

| search dc_dest < 10

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `detect_rare_executables_filter`