GitHub Repo

Suspicious Process Path

Date: 2025-01-27 ID: 2fa5d1b2-dc97-11ef-8b8c-acde48001122 Author: Teoderick Contreras, Splunk Environment: attack_range Directory: suspicious_process_path

Description

Generated datasets for suspicious process path in attack range.

MITRE ATT&CK Techniques

ID Technique Tactic
T1036 Masquerading Defense Evasion

Environment Details

Field Value
Environment attack_range
Directory suspicious_process_path
Test Date 2025-01-27

Datasets

The following datasets were collected during this attack simulation:

Susp_path_sysmon1

  • Path: /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
Windows Suspicious Process File Path TTP Endpoint T1543, T1036.005 PlugX, Water Gamayun, Warzone RAT, Swift Slicer, Data Destruction, AgentTesla, LockBit Ransomware, Volt Typhoon, Brute Ratel C4, WhisperGate, Industroyer2, DarkGate Malware, ValleyRAT, XMRig, Chaos Ransomware, Hermetic Wiper, Remcos, Quasar RAT, Rhysida Ransomware, DarkCrystal RAT, Qakbot, China-Nexus Threat Activity, XWorm, IcedID, CISA AA23-347A, Azorult, Handala Wiper, Salt Typhoon, Earth Alux, Double Zero Destructor, Trickbot, Malicious Inno Setup Loader, BlackByte Ransomware, SystemBC, Phemedrone Stealer, Graceful Wipe Out Attack, Prestige Ransomware, Amadey, AsyncRAT, RedLine Stealer, SnappyBee, Meduza Stealer, MoonPeak, Interlock Ransomware, Interlock Rat, NailaoLocker Ransomware, PromptLock, GhostRedirector IIS Module and Rungan Backdoor, Lokibot

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0