11name : GPUpdate with no Command Line Arguments with Network
22id : 2c853856-a140-11eb-a5b5-acde48001122
3- version : 9
4- date : ' 2024-12-10 '
3+ version : 10
4+ date : ' 2025-04-22 '
55author : Michael Haag, Splunk
66status : production
77type : TTP
@@ -16,37 +16,24 @@ description: The following analytic detects the execution of gpupdate.exe withou
1616 leading to system compromise.
1717data_source :
1818- Sysmon EventID 1 AND Sysmon EventID 3
19- search : ' | tstats prestats=t `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
20- where Processes.process_name=gpupdate.exe by Processes.action Processes.dest Processes.original_file_name
21- Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
22- Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
23- Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
24- Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
25- Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
26- | tstats prestats=t append=t `security_content_summariesonly` count min(_time) as
27- firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where
28- All_Traffic.dest_port != 0 by All_Traffic.action All_Traffic.app All_Traffic.dest
29- All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction All_Traffic.dvc
30- All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip
31- All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product
32- All_Traffic.process_id | `drop_dm_object_name(All_Traffic)` | table action dest
33- original_file_name parent_process parent_process_exec parent_process_guid parent_process_id
34- parent_process_name parent_process_path process process_exec process_guid process_hash
35- process_id process_integrity_level process_name process_path user user_id vendor_product
36- app dest_ip dest_port direction dvc protocol protocol_version src src_ip src_port
37- transport | stats values(action) as action values(dest) as dest values(original_file_name)
38- as original_file_name values(parent_process) as parent_process values(parent_process_exec)
39- as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id)
40- as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path)
41- as parent_process_path values(process) as process values(process_exec) as process_exec
42- values(process_hash) as process_hash values(process_guid) as process_guid values(process_integrity_level)
43- as process_integrity_level values(process_name) as process_name values(process_path)
44- as process_path values(user) as user values(user_id) as user_id values(vendor_product)
45- as vendor_product values(app) as app values(dest_ip) as dest_ip values(dest_port)
46- as dest_port values(direction) as direction values(dvc) as dvc values(protocol)
47- as protocol values(protocol_version) as protocol_version values(src) as src values(src_ip)
48- as src_ip values(src_port) as src_port values(transport) as transport by process_id
49- | where isnotnull(process_name) AND isnotnull(dest_port) | `gpupdate_with_no_command_line_arguments_with_network_filter`'
19+ search : ' | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
20+ where Processes.process_name=gpupdate.exe
21+ by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
22+ Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
23+ Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
24+ Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
25+ Processes.user Processes.user_id Processes.vendor_product
26+ | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
27+ | `security_content_ctime(lastTime)` | regex process="(?i)(gpupdate\.exe.{0,4}$)"|
28+ join process_id [| tstats `security_content_summariesonly` count values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip
29+ values(All_Traffic.direction) as direction values(All_Traffic.dvc) as dvc values(All_Traffic.protocol) as protocol
30+ values(All_Traffic.protocol_version) as protocol_version values(All_Traffic.src) as src values(All_Traffic.src_ip) as src_ip
31+ values(All_Traffic.src_port) as src_port values(All_Traffic.transport) as transport FROM datamodel=Network_Traffic.All_Traffic
32+ where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port
33+ | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest
34+ parent_process_name process_name process_path process process_id dest_port C2 app dest_ip direction dvc protocol
35+ protocol_version src src_ip src_port transport |
36+ `gpupdate_with_no_command_line_arguments_with_network_filter`'
5037how_to_implement : The detection is based on data that originates from Endpoint Detection
5138 and Response (EDR) agents. These agents are designed to provide security-related
5239 telemetry from the endpoints where the agent is installed. To implement this search,
0 commit comments