heroui logo

Single Letter Process On Endpoint

Splunk Security Content

View Source
Summary
The rule "Single Letter Process On Endpoint" is designed to detect processes on endpoints whose names consist of a single letter, a behavior often associated with malware or evasion tactics adopted by attackers. This analytic utilizes data from Endpoint Detection and Response (EDR) sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to closely monitor process names and their execution commands.
Categories
  • Endpoint
Data Sources
  • Pod
  • Process
  • Windows Registry
ATT&CK Techniques
  • T1204
  • T1204.002
Created: 2024-12-10