Techniques
Sample rules
Potentially malicious code on commandline
- source: splunk
- technicques:
- T1059.003
Description
The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as “streamreader,” “webclient,” “mutex,” “function,” and “computehash,” which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.original_file_name) as original_file_name values(Processes.action) as action values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) as parent_process_path values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_name) as process_name values(Processes.process_path) as process_path values(Processes.user) as user values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest
| `drop_dm_object_name(Processes)`
| where len(process) > 200
| `potentially_malicious_code_on_cmdline_tokenize_score`
| apply unusual_commandline_detection
| eval score='predicted(unusual_cmdline_logits)', process=orig_process
| fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process
| where score > 0.5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `potentially_malicious_code_on_commandline_filter`