Uncommon Processes On Endpoint

Description

This search looks for applications on the endpoint that you have marked as uncommon.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Unauthorized Software

Alert Volume

This search looks for applications on the endpoint that you have marked as uncommon.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

User Execution

Malicious File

MITRE Threat Groups

APT-C-36
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT39
BRONZE BUTLER
BlackTech
Cobalt Group
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly 2.0
Elderwood
FIN4
FIN6
FIN7
FIN8
Frankenstein
Gallmaker
Gamaredon Group
Gorgon Group
Inception
Lazarus Group
Leviathan
Machete
Magic Hound
Mofang
Molerats
MuddyWater
Naikon
OilRig
PLATINUM
PROMETHIUM
Patchwork
RTM
Rancor
Sandworm Team
Sharpshooter
Silence
TA459
TA505
The White Company
Tropic Trooper
Whitefly
Windshift
Wizard Spider
admin@338
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Uncommon Processes On Endpoint Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. This search uses a lookup file uncommon_processes_default.csv to track various features of process names that are usually uncommon in most environments. Please consider updating uncommon_processes_local.csv to hunt for processes that are uncommon in your environment.

   Search

Open in Search