Detection rules › Splunk
High Process Termination Frequency
The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1486 Data Encrypted for Impact |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 5 | Process terminated |
Stages and Predicates
Stage 1: search
search EventCode=5
Stage 2: search
search span="3s"
Stage 3: stats
stats BY _time, dest, EventCode, ProcessID, signature, signature_id, vendor_product
Stage 4: where
where count>=15
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
count | ge |
|
span | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Processes Killed By Industroyer2 Malware (adds 1 filter)