splApache-2.0from splunk/security_content
High Process Termination Frequency
The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/high_process_termination_frequency.yml
`sysmon` EventCode=5
| bin _time span=3s
| stats values(process) as process values(process_exec) as process_exec values(process_guid) as process_guid values(process_id) as process_id values(process_name) as process_name values(process_path) as process_path values(user_id) as user_id min(_time) as firstTime max(_time) as lastTime count
BY _time dest EventCode
ProcessID signature signature_id
vendor_product
| where count >= 15
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `high_process_termination_frequency_filter`