Unusual Discovery Signal Alert with Unusual Process Command Line
This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3maturity = "production"
4updated_date = "2025/01/15"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
10host.id, user.id and process.command_line entries.
11"""
12from = "now-9m"
13index = [".alerts-security.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Unusual Discovery Signal Alert with Unusual Process Command Line"
17risk_score = 21
18rule_id = "29ef5686-9b93-433e-91b5-683911094698"
19severity = "low"
20tags = [
21 "Domain: Endpoint",
22 "OS: Windows",
23 "Use Case: Threat Detection",
24 "Tactic: Discovery",
25 "Rule Type: Higher-Order Rule",
26 "Resources: Investigation Guide",
27]
28timestamp_override = "event.ingested"
29type = "new_terms"
30
31query = '''
32host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(
33 "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or
34 "0635c542-1b96-4335-9b47-126582d2c19a" or "6ea55c81-e2ba-42f2-a134-bccf857ba922" or
35 "e0881d20-54ac-457f-8733-fe0bc5d44c55" or "06568a02-af29-4f20-929c-f3af281e41aa" or
36 "c4e9ed3e-55a2-4309-a012-bc3c78dad10a" or "51176ed2-2d90-49f2-9f3d-17196428b169"
37)
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating Unusual Discovery Signal Alert with Unusual Process Command Line
45
46This detection rule identifies anomalies in process command lines on Windows systems, which may indicate adversarial reconnaissance activities. Attackers often exploit legitimate discovery tools to gather system information stealthily. By monitoring unique combinations of host, user, and command line data, the rule flags deviations from normal behavior, helping analysts pinpoint potential threats early.
47
48### Possible investigation steps
49
50- Review the alert details to identify the specific host.id, user.id, and process.command_line that triggered the alert. This will help in understanding the context of the anomaly.
51- Check the historical activity of the identified host.id and user.id to determine if the process.command_line has been executed previously and assess if this behavior is truly unusual.
52- Investigate the process.command_line for any known malicious patterns or suspicious commands that could indicate reconnaissance or other adversarial activities.
53- Correlate the alert with other security events or logs from the same host or user around the same time to identify any additional suspicious activities or patterns.
54- Consult threat intelligence sources to see if the process.command_line or any associated indicators have been reported in recent threat campaigns or advisories.
55- If necessary, isolate the affected host to prevent potential lateral movement or further compromise while the investigation is ongoing.
56
57### False positive analysis
58
59- Legitimate administrative tools may trigger alerts when used by IT staff for routine system checks. To manage this, create exceptions for known safe tools and processes frequently used by trusted users.
60- Automated scripts or scheduled tasks that perform regular system audits can be flagged as unusual. Identify these scripts and add them to an allowlist to prevent unnecessary alerts.
61- Software updates or installations that involve system discovery commands might be misidentified as threats. Monitor update schedules and exclude related processes during these times.
62- Security software performing scans or inventory checks can mimic adversarial reconnaissance. Verify the processes associated with these tools and configure the rule to ignore them.
63- New software deployments or changes in system configurations may temporarily alter normal command line behavior. Document these changes and adjust the rule settings to accommodate expected deviations.
64
65### Response and remediation
66
67- Isolate the affected host immediately to prevent further lateral movement or data exfiltration. Disconnect it from the network while maintaining power to preserve volatile data for forensic analysis.
68- Terminate any suspicious processes identified by the alert, especially those with unusual command lines, to halt any ongoing malicious activity.
69- Conduct a thorough review of the affected user's account for any unauthorized access or privilege escalation. Reset passwords and revoke any unnecessary permissions.
70- Analyze the command line arguments and process execution context to understand the scope and intent of the reconnaissance activity. This may involve reviewing logs and correlating with other security events.
71- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected. Ensure the backup is free from compromise.
72- Update endpoint protection and intrusion detection systems with the latest threat intelligence to enhance detection capabilities against similar reconnaissance activities.
73- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the activity is part of a larger attack campaign."""
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[rule.threat.tactic]
80id = "TA0007"
81name = "Discovery"
82reference = "https://attack.mitre.org/tactics/TA0007/"
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["host.id", "user.id", "process.command_line"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-14d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Discovery Signal Alert with Unusual Process Command Line
This detection rule identifies anomalies in process command lines on Windows systems, which may indicate adversarial reconnaissance activities. Attackers often exploit legitimate discovery tools to gather system information stealthily. By monitoring unique combinations of host, user, and command line data, the rule flags deviations from normal behavior, helping analysts pinpoint potential threats early.
Possible investigation steps
- Review the alert details to identify the specific host.id, user.id, and process.command_line that triggered the alert. This will help in understanding the context of the anomaly.
- Check the historical activity of the identified host.id and user.id to determine if the process.command_line has been executed previously and assess if this behavior is truly unusual.
- Investigate the process.command_line for any known malicious patterns or suspicious commands that could indicate reconnaissance or other adversarial activities.
- Correlate the alert with other security events or logs from the same host or user around the same time to identify any additional suspicious activities or patterns.
- Consult threat intelligence sources to see if the process.command_line or any associated indicators have been reported in recent threat campaigns or advisories.
- If necessary, isolate the affected host to prevent potential lateral movement or further compromise while the investigation is ongoing.
False positive analysis
- Legitimate administrative tools may trigger alerts when used by IT staff for routine system checks. To manage this, create exceptions for known safe tools and processes frequently used by trusted users.
- Automated scripts or scheduled tasks that perform regular system audits can be flagged as unusual. Identify these scripts and add them to an allowlist to prevent unnecessary alerts.
- Software updates or installations that involve system discovery commands might be misidentified as threats. Monitor update schedules and exclude related processes during these times.
- Security software performing scans or inventory checks can mimic adversarial reconnaissance. Verify the processes associated with these tools and configure the rule to ignore them.
- New software deployments or changes in system configurations may temporarily alter normal command line behavior. Document these changes and adjust the rule settings to accommodate expected deviations.
Response and remediation
- Isolate the affected host immediately to prevent further lateral movement or data exfiltration. Disconnect it from the network while maintaining power to preserve volatile data for forensic analysis.
- Terminate any suspicious processes identified by the alert, especially those with unusual command lines, to halt any ongoing malicious activity.
- Conduct a thorough review of the affected user's account for any unauthorized access or privilege escalation. Reset passwords and revoke any unnecessary permissions.
- Analyze the command line arguments and process execution context to understand the scope and intent of the reconnaissance activity. This may involve reviewing logs and correlating with other security events.
- Restore the affected system from a known good backup if any malicious changes or persistence mechanisms are detected. Ensure the backup is free from compromise.
- Update endpoint protection and intrusion detection systems with the latest threat intelligence to enhance detection capabilities against similar reconnaissance activities.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the activity is part of a larger attack campaign.
Related rules
- Unusual Discovery Signal Alert with Unusual Process Executable
- Group Policy Discovery via Microsoft GPResult Utility
- Potential Enumeration via Active Directory Web Service
- AdFind Command Activity
- Enumeration of Administrator Accounts