Detection: Windows Defender Tools in Non Standard Path

Date: 2022-07-18 ID: c205bd2e-cd5b-4224-8510-578a2a1f83d7 Author: Lou Stella, Splunk Type: Anomaly Product: Splunk User Behavior Analytics

Description

The following analytic identifies usage of the MPCmdRun utility that can be abused by adversaries by moving it to a new directory.

Annotations

No annotations available.

Implementation

Collect endpoint data such as sysmon or 4688 events.

Known False Positives

False positives may be present and filtering may be required.

Associated Analytic Story

Living Off The Land

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Process $process_name$ with commandline $process$ spawn in non-default folder path on host $dest_device_id$	56	70	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://attack.mitre.org/techniques/T1036/003/
https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/

Version: 4