-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-11-002.yaml
50 lines (45 loc) · 2.02 KB
/
CAR-2014-11-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
title: Outlier Parents of Cmd
submission_date: 2014/11/06
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Anomaly
- TTP
contributors:
- MITRE
id: CAR-2014-11-002
description: |
Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.
While this analytic does not take the user into account, doing so could generate further interesting results.
It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don’t routinely launch a command prompt – for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.
### Output Description
The time and host the new process was started as well as its parent
coverage:
- technique: T1059
tactics:
- TA0002
subtechniques:
- T1059.003
coverage: Moderate
implementations:
- description: 'Create a baseline of parents of `cmd.exe` seen over the last 30 days and a list of parents of `cmd.exe` seen today. Remove parents in the baseline from parents seen today, leaving a list of new parents.'
code: |
processes = search Process:Create
cmd = filter processes where (exe == "cmd.exe")
cmd = from cmd select parent_exe
historic_cmd = filter cmd (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_cmd = filter cmd (where timestamp >= now - 1 day)
new_cmd = historic_cmd - current_cmd
output new_cmd
type: pseudocode
data_model_references:
- process/create/exe
- process/create/parent_exe
d3fend_mappings:
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis