Skip to content

Commit 374a272

Browse files
committed
udpating search
1 parent 80d1b81 commit 374a272

1 file changed

Lines changed: 39 additions & 5 deletions

File tree

detections/endpoint/suspicious_process_executed_from_container_file.yml

Lines changed: 39 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
name: Suspicious Process Executed From Container File
22
id: d8120352-3b62-411c-8cb6-7b47584dd5e8
3-
version: 11
3+
version: 12
44
creation_date: '2023-07-11'
5-
modification_date: '2026-05-13'
5+
modification_date: '2026-07-09'
66
author: Steven Dick
77
status: production
88
type: TTP
@@ -11,7 +11,37 @@ data_source:
1111
- Sysmon EventID 1
1212
- Windows Event Log Security 4688
1313
- CrowdStrike ProcessRollup2
14-
search: '| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$" | rex field=process "(?i).+\\\\(?<file_name>[^\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?<process_name>.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`'
14+
search: |-
15+
| tstats `security_content_summariesonly`
16+
count
17+
values(Processes.process_name) as process_name
18+
min(_time) as firstTime
19+
max(_time) as lastTime
20+
from datamodel=Endpoint.Processes
21+
where Processes.process IN (
22+
"*.ZIP\\*",
23+
"*.ISO\\*",
24+
"*.IMG\\*",
25+
"*.CAB\\*",
26+
"*.TAR\\*",
27+
"*.GZ\\*",
28+
"*.RAR\\*",
29+
"*.7Z\\*"
30+
)
31+
AND Processes.action="allowed"
32+
by
33+
Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.process_name Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_path Processes.user Processes.user_id Processes.vendor_product
34+
35+
| `drop_dm_object_name(Processes)`
36+
37+
| regex process="(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX|HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\"?$"
38+
39+
| rex field=process "(?i).+\\\\(?<file_name>[^\\\\]+\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\((.+\\\\)+)?(?<container_file_name>.+\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX|HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\"?$"
40+
41+
| `security_content_ctime(firstTime)`
42+
| `security_content_ctime(lastTime)`
43+
44+
| `suspicious_process_executed_from_container_file_filter`
1545
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
1646
known_false_positives: Various business process or userland applications and behavior.
1747
references:
@@ -28,7 +58,7 @@ drilldown_searches:
2858
earliest_offset: 7d
2959
latest_offset: "0"
3060
finding:
31-
title: A suspicious process $process_name$ was launched from $file_name$ on $dest$.
61+
title: A suspicious file [$container_file_name$] was launched from container file [$file_name$] by process [$process_name$] on [$dest$].
3262
entity:
3363
field: user
3464
type: user
@@ -38,10 +68,14 @@ intermediate_findings:
3868
- field: dest
3969
type: system
4070
score: 50
41-
message: A suspicious process $process_name$ was launched from $file_name$ on $dest$.
71+
message: A suspicious file [$container_file_name$] was launched from container file [$file_name$] by process [$process_name$] on [$dest$].
4272
threat_objects:
73+
- field: process_name
74+
type: process_name
4375
- field: file_name
4476
type: file_name
77+
- field: container_file_name
78+
type: file_name
4579
analytic_story:
4680
- APT37 Rustonotto and FadeStealer
4781
- GhostRedirector IIS Module and Rungan Backdoor

0 commit comments

Comments
 (0)