Blu3_Team

Previously I wrote about calculating duration but I stumbled across a better method. There are two key factors, time stamps in Splunk are numbers and Carbon Black has a process_guid that links the life of the process. We'll use these two things to make a much shorter search. Previous search index=edr event_type=proc process_path=*\\userinit.exe | stats values(type) as types values(_time) as timestamps values(process_path) as proc_path by process_guid | where mvcount(types)>1 | eval end_time=mvindex(timestamp,1) | eval start_time=mvindex(timestamp,0) | eval duration=end_time-start_time | table process_guid types duration timestamps proc_path New search index=edr event_type=proc process_path=*\\userinit.exe | stats range(_time) as duration values(command_line) count by computer_name process_guid As you can see it is much more compact and readable. References: https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/CommonStatsFunctions

Watching for suspicious scheduled tasks is always a good thing but there are a lot of them so some creative categorization will be needed. This method is just to view tasks as they execute, not as they are being created. Scheduled tasks should be the child process of svchost.exe so I started by breaking it into several different searches based on our normal suspicious scripting processes. Powershell.exe Cscript.exe Wscript.exe Mshta.exe Cmd.exe I'll use stats and pc counts again to self tune out those that are common to a given number of pcs. I run this back a couple of days so that the auto tuning kicks in. Wscript Tasks index=edr process_path=*\\wscript.exe parent_path=*\\svchost.exe | stats dc(computer_name) as pc_count values(computer_name) count by command_line | Where pc_count Add tuning as necessary to get rid of normal tasks and you "should" be able to get it down to a short list. Repeat with the other target children and add any others that yo...