Techniques
Sample rules
Potentially malicious code on commandline
- source: splunk
- technicques:
- T1059.003
Description
The following analytic uses a pretrained machine learning text classifier to detect potentially malicious commandlines. The model identifies unusual combinations of keywords found in samples of commandlines where adversaries executed powershell code, primarily for C2 communication. For example, adversaries will leverage IO capabilities such as “streamreader” and “webclient”, threading capabilties such as “mutex” locks, programmatic constructs like “function” and “catch”, and cryptographic operations like “computehash”. Although observing one of these keywords in a commandline script is possible, combinations of keywords observed in attack data are not typically found in normal usage of the commandline. The model will output a score where all values above zero are suspicious, anything greater than one particularly so.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest
| `drop_dm_object_name(Processes)`
| where len(process) > 200
| `potentially_malicious_code_on_cmdline_tokenize_score`
| apply unusual_commandline_detection
| eval score='predicted(unusual_cmdline_logits)', process=orig_process
| fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process
| where score > 0.5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `potentially_malicious_code_on_commandline_filter`