Terrance DeJesus
70411664cf
* normalizing hunting link generation * replacing header * adjusting quotes in f-strings * added source file to metadata * removed os dependency * address bug in source file links * reverting TOML loading * change all List type hinting to list * change all List type hinting to list * fixed accented characters in queries * reverted accent character removal; moved macos query and MD to macos folder
1.7 KiB
1.7 KiB
Defense Evasion via Capitalized Process Execution
Metadata
-
Author: Elastic
-
Description: This hunt identifies potential defense evasion techniques via capitalized process execution on Linux systems. It detects processes that have two or more consecutive capital letters within their names, which can indicate an attempt to evade detection. Such naming conventions are often used in malicious payloads to blend in with legitimate processes.
-
UUID:
9d485892-1ca2-464b-9e4e-6b21ab379b9a -
Integration: endpoint
-
Language:
[ES|QL] -
Source File: Defense Evasion via Capitalized Process Execution
Query
from logs-endpoint.events.process-*
| where @timestamp > now() - 10 day
| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name rlike """[A-Z]{2,}[a-z]{1,}[0-9]{0,}""") or
(process.name rlike """[A-Z]{1,}[0-9]{0,}""")
)
| stats cc = count(), host_count = count_distinct(host.name) by process.name
// Alter this threshold to make sense for your environment
| where cc <= 3 and host_count <= 3
| limit 100
Notes
- Detects processes that have two or more consecutive capital letters within their names, with optional digits.
- This technique is often used in malicious payloads, such as Metasploit payloads, to evade detection.
- Included a process count of <= 3 and a host count of <= 3 to eliminate common processes across different hosts.
MITRE ATT&CK Techniques
License
Elastic License v2