detect_unauthorized_processes.yml

category:
  - Best Practices
channel: ESCU
creation_date: '2017-06-26'
description: 'Identify and investigate prohibited/unauthorized software or processes
  that may be concealing malicious behavior within your environment. '
detections:
  - detection_id: a51bfe1a-94f0-48cc-b4e4-b6ae50145893
    name: Prohibited Software On Endpoint
    type: splunk
id: 8892a655-6205-43f7-abba-06460e38c8ae
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
modification_date: '2017-09-15'
name: Monitor for Unauthorized Software
narrative: 'It is critical to identify unauthorized software and processes running
  on enterprise endpoints and determine whether they are likely to be malicious. This
  Analytic Story requires the user to populate the Interesting Processes table within
  Enterprise Security with prohibited processes. An included support search will augment
  this data, adding information on processes thought to be malicious. This search
  requires data from endpoint detection-and-response solutions, endpoint data sources
  (such as Sysmon), or Windows Event Logs--assuming that the Active Directory administrator
  has enabled process tracking within the System Event Audit Logs.\

  It is important to investigate any software identified as suspicious, in order to
  understand how it was installed or executed. Analyzing authentication logs or any
  historic notable events might elicit additional investigative leads of interest.
  For best results, schedule the search to run every two weeks. '
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references:
  - https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
spec_version: 2
usecase: Compliance
version: '1.0'