-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2021-01-002.yaml
29 lines (29 loc) · 1.39 KB
/
CAR-2021-01-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
title: Unusually Long Command Line Strings
submission_date: 2020/11/27
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Anomaly
contributors:
- Cyware Labs
id: CAR-2021-01-002
description: |-
Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
coverage:
- technique: T1059
coverage: Low
tactics:
- TA0002
implementations:
- name: Splunk search - Identifying possible malware activity via unusually long command line strings
description: This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length
code: |-
index=* sourcetype="xmlwineventlog" EventCode=4688 |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost
data_model: Sysmon native
type: Splunk
data_model_references:
- process/create/command_line