Lee Kirkpatrick

Detecting Rare Windows Processes

Blog Post created by Lee Kirkpatrick Employee on Feb 2, 2017

After reading through a few SANS resources, I came across some interesting topics regarding the detection of rare processes to help pin point malicious applications running on a host; from this, I decided to create an EPL rule to baseline processes on Windows hosts and alert if any processes deviated from the norm.

 

The principle behind this rule is to profile every Windows host in the estate and keep track of the processes which run on said hosts, should they diverge from the average they are declared as rare and an alert is generated for analysts to investigate; the rule is written in a way to learn what is normal within a specific environment and baseline accordingly.

 

 

Dependencies

The following meta keys need to be indexed for the below rule to work:-

 

  • event_computer
  • process

 

Other than that, deploy the rule and you're good to go!

 

The EPL Rule

@Name('Create Window')

CREATE WINDOW winProcess.win:time(31 days) (theDay int, event_computer string, process string, counter int);

 

@Name('Insert into Window')

on Event(process IS NOT NULL AND event_computer IS NOT NULL)

merge winProcess

WHERE Event.process = winProcess.process AND Event.event_computer = winProcess.event_computer AND current_timestamp.getDayOfWeek() = winProcess.theDay

when matched

then update set counter = counter + 1

when not matched then INSERT

SELECT current_timestamp.getDayOfWeek() as theDay, event_computer, process, 1 as counter;

 

 

@Name('Alert')

@RSAAlert

SELECT * FROM winProcess as original

WHERE counter <= 0.2* (

SELECT avg(counter) FROM winProcess as recent

WHERE original.theDay = recent.theDay and original.event_computer = recent.event_computer);

Outcomes