New command line processes indicate new programs that might or might not be legitimate. You want to create a lookup file of known processes that you can use to check against new ones found in command line arguments to decide if further investigation is necessary.
- To complete this process, your deployment needs to ingest process activity from your hosts using logs with both the process name and command line from your endpoints. You should also ensure you are ingesting normalized endpoint data, populating the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name=cmd.exe AND Processes.process="* /c *" BY Processes.process |rename "Processes.*" as "*"
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|tstats summariesonly=true allow_old_summaries=true min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name=cmd.exe AND Processes.process="* /c *" BY Processes.process
Query the Endpoint.Processes data model object for the process name "cmd.exe" and a process that includes /c, which runs a command. Return the first and last time that each matching command line argument was seen.
|rename "Processes.*" as "*"
Rename the data model object for better readability.
After you create this baseline, you can look for new command line arguments that might indicate a threat.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.
You might also be interested in other processes associated with the Detecting techniques in the Orangeworm attack group and Monitoring command line interface actions use cases.