Skip to main content
Splunk Lantern

Uncommon processes on an endpoint

Uncommon applications on an endpoint can be a sign of an attack. You want to search for unexpected applications on endpoints on your network so you can verify that they are legitimate. 

Data required 

Endpoint data

Procedure

  1. To complete this process, your deployment needs to ingest endpoint data that tracks process activity from your hosts, with logs with both the process name and command line from your endpoints. You should also ensure you are ingesting normalized endpoint data, populating the Process node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Define the "uncommon processes" macro in your deployment or replace it in the search below with the SPL found here instead. The macro loads a lookup with a list of uncommon processes like sethc.exe, utilman.exe, osk.exe, magnify.exe, narrator.exe, displayswitch.exe, atbroker.exe, and quser.exe.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY Processes.dest Processes.user Processes.process Processes.process_name 
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) 
|rename "Processes.*" as "*" 
|`uncommon_processes` 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|tstats summariesonly=true allow_old_summaries=true count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY Processes.dest Processes.user Processes.process Processes.process_name  Query the Endpoint.Process data model object information for destination, user, process command, and process name.
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime)
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime) 
Convert these times into readable strings.
|rename "Processes.*" as "*" 
 
Rename the data model object for better readability.
|`uncommon_processes`

Run a macro that loads a lookup with a list of uncommon processes.

You must first define this macro in your deployment or use the SPL found here instead.

Next steps

This search returns the number of times, as well as the first and last time, it has seen every process run for each endpoint and user, and then displays only those processes that you have marked as uncommon in the uncommon_processes_default.csv table. Update the uncommon_processes_local.csv lookup file as necessary to hunt for processes that are uncommon in your environment. The process table today is shipped with our latest security content package, or can be downloaded here

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

You might also be interested in other processes associated with the Monitoring for signs of Windows privilege escalation attacks use case.