Blu3_Team

I have done a couple of posts concerning detecting C2 activity and calculating duration of processes from Carbon Black data in Splunk. In this post I'll show a method of combining the two to detect network connections only from long running processes. This hunt targets script processes which can be a backdoor in themselves but are usually pretty noisy in the enterprise. This also helps close a detection gap in the way that Carbon Black logs are presented. If a single process makes a long running C2 connection the only events seen are the procstart and procend. Within those two events any amount of data can be sent and received. The term "long running" is arbitrary, after experimenting,  I moved the time down to 5 seconds since it was easily filtered and pretty quiet. This makes sense when you think about it, there should not be many scripts that run for minutes at a time that make external network connections. Lets start with a profiling search to find long runnin...