splunk_sysmon_T1096_esentutl.txt

host=* ("Esentutl.exe" AND (CommandLine="*/y*" OR CommandLine="*/vss*" OR CommandLine="*\\\\*" OR CommandLine="*\/d*"))
| eval Time=strftime(_time, "%Y/%m/%d %H:%M:%S")
| stats values(Time) AS Time values(ComputerName) AS Computers values(User) AS User values(ProcessId) AS ProcessId values(ParentProcessId) AS ParentProcessId values(IntegrityLevel) AS IntegrityLevel values(OriginalFileName) AS OriginalFileName values(Image) AS ImageFileName values(CommandLine) AS CommandLine values(ParentImage) As ParentImage values(ParentCommandLine) AS ParentCommandLine dc(CommandLine) AS ThreatCount by Image,ComputerName
| eval Commands = lower(CommandLine)
| rex field=Commands mode=sed "s/\"//g"
| eval T1096_esentutl=if(match((Commands),"(?i).*esentutl.*(\/y|\/d|\/o|:).*"),7,0)
| eval Defense_Evasion_c= 'T1096_esentutl'
| eval  Defense_Evasion=Defense_Evasion_c*ThreatCount
| addtotals fieldname=Score Defense_Evasion
| table Time Computers User ProcessId ParentProcessId IntegrityLevel Score Defense_Evasion T1096_esentutl OriginalFileName ImageFileName Commands ParentImage ParentCommandLine
| sort Score desc