← Library
splApache-2.0from splunk/security_content

Single Letter Process On Endpoint

The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/single_letter_process_on_endpoint.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
  from datamodel=Endpoint.Processes where
  Processes.process_name IN (
    "_.exe",
    "-.exe",
    ",.exe",
    ";.exe",
    "!.exe",
    "'.exe"
    "(.exe",
    "(.exe",
    ").exe",
    ").exe",
    "@.exe",
    "&.exe",
    "#.exe",
    "%.exe",
    "`.exe",
    "^.exe",
    "+.exe",
    "=.exe",
    "~.exe",
    "$.exe",
    "0.exe",
    "1.exe",
    "2.exe",
    "3.exe",
    "4.exe",
    "5.exe",
    "6.exe",
    "7.exe",
    "8.exe",
    "9.exe",
    "a.exe",
    "b.exe",
    "c.exe",
    "d.exe",
    "e.exe",
    "f.exe",
    "g.exe",
    "h.exe",
    "i.exe",
    "j.exe",
    "k.exe",
    "l.exe",
    "m.exe",
    "N.exe",
    "o.exe",
    "p.exe",
    "q.exe",
    "r.exe",
    "s.exe",
    "t.exe",
    "u.exe",
    "v.exe",
    "w.exe",
    "x.exe",
    "y.exe",
    "z.exe",
  )
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
   Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `single_letter_process_on_endpoint_filter`