LoFP / this model is an anomaly detector that identifies usage of apis and scripting constructs that are correllated with malicious activity. these apis and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.

Techniques

• T1059.003

Sample rules

Potentially malicious code on commandline

• source: splunk
• technicques:
  • T1059.003

Description

The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as “streamreader,” “webclient,” “mutex,” “function,” and “computehash,” which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest  
| `drop_dm_object_name(Processes)`  
| where len(process) > 200 
| `potentially_malicious_code_on_cmdline_tokenize_score` 
| apply unusual_commandline_detection 
| eval score='predicted(unusual_cmdline_logits)', process=orig_process 
| fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process 
| where score > 0.5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `potentially_malicious_code_on_commandline_filter`