Techniques
Sample rules
Detect Prohibited Applications Spawning cmd exe
- source: splunk
- technicques:
- T1059
- T1059.003
Description
This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|search [`prohibited_apps_launching_cmd_macro`]
| `detect_prohibited_applications_spawning_cmd_exe_filter`