Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Command and Scripting Interpreter||N/A||Execution||Low|
Data Model References
Splunk search - Identifying possible malware activity via unusually long command line strings (Splunk, Sysmon native)
This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length
index=* sourcetype="xmlwineventlog" EventCode=4688 |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost