diff --git a/docs/analytics/CAR-2013-01-002/index.md b/docs/analytics/CAR-2013-01-002/index.md index cd1c136e..aad379aa 100644 --- a/docs/analytics/CAR-2013-01-002/index.md +++ b/docs/analytics/CAR-2013-01-002/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP contributors: MITRE applicable_platforms: Windows --- - - +

The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative. diff --git a/docs/analytics/CAR-2013-01-003/index.md b/docs/analytics/CAR-2013-01-003/index.md index 75764090..0261bdbb 100644 --- a/docs/analytics/CAR-2013-01-003/index.md +++ b/docs/analytics/CAR-2013-01-003/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: N/A --- - - +

[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. ### Output Description diff --git a/docs/analytics/CAR-2013-02-003/index.md b/docs/analytics/CAR-2013-02-003/index.md index 3e581573..8a8c3601 100644 --- a/docs/analytics/CAR-2013-02-003/index.md +++ b/docs/analytics/CAR-2013-02-003/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows --- - - +

The Windows [Command Prompt](https://en.wikipedia.org/wiki/cmd.exe) (`cmd.exe`) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as `dir`, `copy`, `mkdir`, and `type`, as well as batch scripts (`.bat`). Typically, when a user runs a command prompt, the parent process is `explorer.exe` or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process `cmd.exe` from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of `cmd.exe`, it may be possible to detect adversaries. diff --git a/docs/analytics/CAR-2013-02-008/index.md b/docs/analytics/CAR-2013-02-008/index.md index d1333341..023ce975 100644 --- a/docs/analytics/CAR-2013-02-008/index.md +++ b/docs/analytics/CAR-2013-02-008/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. diff --git a/docs/analytics/CAR-2013-02-012/index.md b/docs/analytics/CAR-2013-02-012/index.md index 38ceef36..15553611 100644 --- a/docs/analytics/CAR-2013-02-012/index.md +++ b/docs/analytics/CAR-2013-02-012/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts. diff --git a/docs/analytics/CAR-2013-03-001/index.md b/docs/analytics/CAR-2013-03-001/index.md index c9c5fcda..9d01d6a1 100644 --- a/docs/analytics/CAR-2013-03-001/index.md +++ b/docs/analytics/CAR-2013-03-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. ### Output Description diff --git a/docs/analytics/CAR-2013-04-002/index.md b/docs/analytics/CAR-2013-04-002/index.md index 6c83b1b0..cb0704f1 100644 --- a/docs/analytics/CAR-2013-04-002/index.md +++ b/docs/analytics/CAR-2013-04-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing. Commands of interest: @@ -60,7 +59,7 @@ The host on which the commands were executed, the time of execution, and what co |[Hijack Execution Flow](https://attack.mitre.org/techniques/T1574/)|[Services Registry Permissions Weakness](https://attack.mitre.org/techniques/T1574/011/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Low| |[Remote System Discovery](https://attack.mitre.org/techniques/T1018/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| |[System Services](https://attack.mitre.org/techniques/T1569/)|[Service Execution](https://attack.mitre.org/techniques/T1569/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Low| -|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/), [Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/), [Execution](https://attack.mitre.org/tactics/TA0002/)|Low| +|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/), [Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/), [Execution](https://attack.mitre.org/tactics/TA0002/)|Low| |[Scheduled Transfer](https://attack.mitre.org/techniques/T1029/)|N/A|[Exfiltration](https://attack.mitre.org/tactics/TA0010/)|Low| |[System Owner/User Discovery](https://attack.mitre.org/techniques/T1033/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| |[System Service Discovery](https://attack.mitre.org/techniques/T1007/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| @@ -69,7 +68,7 @@ The host on which the commands were executed, the time of execution, and what co |[System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| |[Application Window Discovery](https://attack.mitre.org/techniques/T1010/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| |[Software Discovery](https://attack.mitre.org/techniques/T1518/)|[Security Software Discovery](https://attack.mitre.org/techniques/T1518/001/)|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| -|[Network Service Scanning](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| +|[Network Service Discovery](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low| |[Impair Defenses](https://attack.mitre.org/techniques/T1562/)|[Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001/), [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| |[Account Manipulation](https://attack.mitre.org/techniques/T1098/)|N/A|[Credential Access](https://attack.mitre.org/tactics/TA0006/)|Low| |[Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)|[Visual Basic](https://attack.mitre.org/techniques/T1059/005/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate| diff --git a/docs/analytics/CAR-2013-05-002/index.md b/docs/analytics/CAR-2013-05-002/index.md index bdb65c08..e4ae3e07 100644 --- a/docs/analytics/CAR-2013-05-002/index.md +++ b/docs/analytics/CAR-2013-05-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes. Monitors the directories diff --git a/docs/analytics/CAR-2013-05-003/index.md b/docs/analytics/CAR-2013-05-003/index.md index d38e9010..61a44567 100644 --- a/docs/analytics/CAR-2013-05-003/index.md +++ b/docs/analytics/CAR-2013-05-003/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

As described in [CAR-2013-01-003](../CAR-2013-01-003), SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in [Exfiltration](https://attack.mitre.org/tactics/TA0010) or as a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files. diff --git a/docs/analytics/CAR-2013-05-004/index.md b/docs/analytics/CAR-2013-05-004/index.md index e09cdad9..06973576 100644 --- a/docs/analytics/CAR-2013-05-004/index.md +++ b/docs/analytics/CAR-2013-05-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

In order to gain [persistence](https://attack.mitre.org/tactics/TA0003/), [privilege escalation](https://attack.mitre.org/tactics/TA0004/), or [remote execution](https://attack.mitre.org/tactics/TA0002/), an adversary may use the Windows built-in command AT (at.exe) to [schedule a command](https://attack.mitre.org/techniques/T1053/002) to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users. @@ -18,7 +17,7 @@ The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) o |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/), [Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Moderate| +|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/), [Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Moderate| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2013-05-005/index.md b/docs/analytics/CAR-2013-05-005/index.md index 94ad88e9..b1a8263d 100644 --- a/docs/analytics/CAR-2013-05-005/index.md +++ b/docs/analytics/CAR-2013-05-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by [CAR-2013-05-003](../CAR-2013-05-003)). Then, a variety of [Execution](https://attack.mitre.org/tactics/TA0002) techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity. This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. `%SYSTEMROOT%\system32`) to gain a higher detection rate. diff --git a/docs/analytics/CAR-2013-05-009/index.md b/docs/analytics/CAR-2013-05-009/index.md index 9ee7725a..8e6fc0d4 100644 --- a/docs/analytics/CAR-2013-05-009/index.md +++ b/docs/analytics/CAR-2013-05-009/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to [avoid detection](https://attack.mitre.org/tactics/TA0005). Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention. diff --git a/docs/analytics/CAR-2013-07-001/index.md b/docs/analytics/CAR-2013-07-001/index.md index b94b0e1a..60a6ae48 100644 --- a/docs/analytics/CAR-2013-07-001/index.md +++ b/docs/analytics/CAR-2013-07-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better [blend in](https://attack.mitre.org/tactics/TA0005) with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include diff --git a/docs/analytics/CAR-2013-07-002/index.md b/docs/analytics/CAR-2013-07-002/index.md index 9e3f6c4f..faa8f65c 100644 --- a/docs/analytics/CAR-2013-07-002/index.md +++ b/docs/analytics/CAR-2013-07-002/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP contributors: MITRE applicable_platforms: N/A --- - - +

The [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to [laterally move](https://attack.mitre.org/tactics/TA0008) to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise. Remote Desktop can be detected in several ways diff --git a/docs/analytics/CAR-2013-07-005/index.md b/docs/analytics/CAR-2013-07-005/index.md index 0b3cecce..871358e0 100644 --- a/docs/analytics/CAR-2013-07-005/index.md +++ b/docs/analytics/CAR-2013-07-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names. diff --git a/docs/analytics/CAR-2013-08-001/index.md b/docs/analytics/CAR-2013-08-001/index.md index 1f9da11f..4e59652f 100644 --- a/docs/analytics/CAR-2013-08-001/index.md +++ b/docs/analytics/CAR-2013-08-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

The Windows built-in tool `schtasks.exe` provides the creation, modification, and running of [scheduled tasks](https://attack.mitre.org/techniques/T1053) on a local or remote computer. It is provided as a more flexible alternative to `at.exe`, described in [CAR-2013-05-004](../CAR-2013-05-004). Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and can be used in combination with a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique to remotely gain [execution](https://attack.mitre.org/tactics/TA0002). Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The `/s` flag specifies the remote system on which the task should be scheduled, usually indicating [Lateral Movement](https://attack.mitre.org/tactics/TA0008). diff --git a/docs/analytics/CAR-2013-09-003/index.md b/docs/analytics/CAR-2013-09-003/index.md index 4a4da06f..63b65680 100644 --- a/docs/analytics/CAR-2013-09-003/index.md +++ b/docs/analytics/CAR-2013-09-003/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: N/A --- - - +

Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them. This analytic monitors SMB activity that deals with user activity rather than file activity. diff --git a/docs/analytics/CAR-2013-09-005/index.md b/docs/analytics/CAR-2013-09-005/index.md index 17223b34..50633efa 100644 --- a/docs/analytics/CAR-2013-09-005/index.md +++ b/docs/analytics/CAR-2013-09-005/index.md @@ -8,8 +8,7 @@ analytic_type: Detection contributors: MITRE applicable_platforms: Windows --- - - +

New executables that are started as a service are suspicious. This analytic looks for anomalous service executables. diff --git a/docs/analytics/CAR-2013-10-001/index.md b/docs/analytics/CAR-2013-10-001/index.md index f510d361..8c0e020a 100644 --- a/docs/analytics/CAR-2013-10-001/index.md +++ b/docs/analytics/CAR-2013-10-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. diff --git a/docs/analytics/CAR-2013-10-002/index.md b/docs/analytics/CAR-2013-10-002/index.md index 817b39fc..7cf719f6 100644 --- a/docs/analytics/CAR-2013-10-002/index.md +++ b/docs/analytics/CAR-2013-10-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx). - Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx) diff --git a/docs/analytics/CAR-2014-02-001/index.md b/docs/analytics/CAR-2014-02-001/index.md index 8795f621..3708d644 100644 --- a/docs/analytics/CAR-2014-02-001/index.md +++ b/docs/analytics/CAR-2014-02-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP contributors: MITRE applicable_platforms: Windows --- - - +

Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. ### Output Description diff --git a/docs/analytics/CAR-2014-03-001/index.md b/docs/analytics/CAR-2014-03-001/index.md index 4562ac13..7ac418cc 100644 --- a/docs/analytics/CAR-2014-03-001/index.md +++ b/docs/analytics/CAR-2014-03-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may. Monitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files. diff --git a/docs/analytics/CAR-2014-03-005/index.md b/docs/analytics/CAR-2014-03-005/index.md index 565b1f4f..e69641cc 100644 --- a/docs/analytics/CAR-2014-03-005/index.md +++ b/docs/analytics/CAR-2014-03-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command. diff --git a/docs/analytics/CAR-2014-03-006/index.md b/docs/analytics/CAR-2014-03-006/index.md index 23ec43d7..9f23fd75 100644 --- a/docs/analytics/CAR-2014-03-006/index.md +++ b/docs/analytics/CAR-2014-03-006/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682589.aspx) (DLLs) to [evade defenses](https://attack.mitre.org/tactics/TA0005). One way these DLLs can be "executed" is through the use of the built-in Windows utility [RunDLL32](https://attack.mitre.org/techniques/T1218.011), which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful. @@ -17,7 +16,7 @@ Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn. |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Rundll32](https://attack.mitre.org/techniques/T1218/011/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| +|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Rundll32](https://attack.mitre.org/techniques/T1218/011/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2014-04-003/index.md b/docs/analytics/CAR-2014-04-003/index.md index ea605a74..047e86f3 100644 --- a/docs/analytics/CAR-2014-04-003/index.md +++ b/docs/analytics/CAR-2014-04-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

[PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: diff --git a/docs/analytics/CAR-2014-05-001/index.md b/docs/analytics/CAR-2014-05-001/index.md index cfa009fc..425de5dc 100644 --- a/docs/analytics/CAR-2014-05-001/index.md +++ b/docs/analytics/CAR-2014-05-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP, Situational Awareness contributors: MITRE applicable_platforms: Windows --- - - +

Microsoft Windows uses its implementation of [Distributed Computing Environment/Remote Procedure Call](https://en.wikipedia.org/wiki/DCE/RPC) (DCE/RPC), which it calls [Microsoft RPC](https://en.wikipedia.org/wiki/Microsoft_RPC), to call certain APIs remotely. A Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service. diff --git a/docs/analytics/CAR-2014-05-002/index.md b/docs/analytics/CAR-2014-05-002/index.md index b86a9eaa..4774e240 100644 --- a/docs/analytics/CAR-2014-05-002/index.md +++ b/docs/analytics/CAR-2014-05-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Windows runs the [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM) within the process `services.exe`. Windows launches services as independent processes or DLL loads within a [svchost.exe](https://en.wikipedia.org/wiki/svchost.exe) group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point [SvcMain](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687414.aspx). If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed. To survive the timeout, [adversaries and red teams](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf) can create services that direct to `cmd.exe` with the flag `/c`, followed by the desired command. The `/c` flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and [Privilege Escalation](https://attack.mitre.org/tactics/TA0004). diff --git a/docs/analytics/CAR-2014-07-001/index.md b/docs/analytics/CAR-2014-07-001/index.md index 9846a527..e0c9d4eb 100644 --- a/docs/analytics/CAR-2014-07-001/index.md +++ b/docs/analytics/CAR-2014-07-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

According to [ATT&CK](https://attack.mitre.org/), an adversary may [escalate privileges](https://attack.mitre.org/tactics/TA0004) by [intercepting the search path](https://attack.mitre.org/techniques/T1579/009) for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths. diff --git a/docs/analytics/CAR-2014-11-002/index.md b/docs/analytics/CAR-2014-11-002/index.md index f995daf6..5c7a8c01 100644 --- a/docs/analytics/CAR-2014-11-002/index.md +++ b/docs/analytics/CAR-2014-11-002/index.md @@ -8,8 +8,7 @@ analytic_type: Anomaly, TTP contributors: MITRE applicable_platforms: Windows --- - - +

Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`. While this analytic does not take the user into account, doing so could generate further interesting results. diff --git a/docs/analytics/CAR-2014-11-003/index.md b/docs/analytics/CAR-2014-11-003/index.md index 90f24c51..917b1158 100644 --- a/docs/analytics/CAR-2014-11-003/index.md +++ b/docs/analytics/CAR-2014-11-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility. diff --git a/docs/analytics/CAR-2014-11-004/index.md b/docs/analytics/CAR-2014-11-004/index.md index 38d07b19..2ba04b40 100644 --- a/docs/analytics/CAR-2014-11-004/index.md +++ b/docs/analytics/CAR-2014-11-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \` creates a remote PowerShell session. diff --git a/docs/analytics/CAR-2014-11-005/index.md b/docs/analytics/CAR-2014-11-005/index.md index b2e760a4..49e6d432 100644 --- a/docs/analytics/CAR-2014-11-005/index.md +++ b/docs/analytics/CAR-2014-11-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

An adversary can remotely [manipulate the registry](https://attack.mitre.org/techniques/T1112) of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique, [discover](https://attack.mitre.org/tactics/TA0007) the configuration of a host, achieve [Persistence](https://attack.mitre.org/tactics/TA0003), or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to [remotely enable](https://attack.mitre.org/techniques/T1569/002) the RemoteRegistry service, which can be detected with [CAR-2014-03-005](../CAR-2014-03-005). Remote access to the registry can be achieved via diff --git a/docs/analytics/CAR-2014-11-006/index.md b/docs/analytics/CAR-2014-11-006/index.md index dc76813a..783d529e 100644 --- a/docs/analytics/CAR-2014-11-006/index.md +++ b/docs/analytics/CAR-2014-11-006/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows --- - - +

When a [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host. diff --git a/docs/analytics/CAR-2014-11-007/index.md b/docs/analytics/CAR-2014-11-007/index.md index 7b3b9466..1b37f562 100644 --- a/docs/analytics/CAR-2014-11-007/index.md +++ b/docs/analytics/CAR-2014-11-007/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

As described in ATT&CK, an adversary can use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC ([CAR-2014-05-001](../CAR-2014-05-001)), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as [Event Tracing for Windows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx). Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. diff --git a/docs/analytics/CAR-2014-11-008/index.md b/docs/analytics/CAR-2014-11-008/index.md index fe2db043..6f4d4188 100644 --- a/docs/analytics/CAR-2014-11-008/index.md +++ b/docs/analytics/CAR-2014-11-008/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

An adversary can use [accessibility features](https://attack.mitre.org/techniques/T1546/008) (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within [Remote Desktop](https://attack.mitre.org/techniques/T1021/001). To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of `cmd.exe` or `powershell.exe` launched directly from the logon process, `winlogon.exe`. It should be used in tandem with [CAR-2014-11-003](../CAR-2014-11-003), which detects the accessibility programs in the command line. Several accessibility programs can be run using the Ease of Access center diff --git a/docs/analytics/CAR-2014-12-001/index.md b/docs/analytics/CAR-2014-12-001/index.md index daec6f5f..4058fd4a 100644 --- a/docs/analytics/CAR-2014-12-001/index.md +++ b/docs/analytics/CAR-2014-12-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Adversaries can use [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by [CAR-2014-11-007](../CAR-2014-11-007). After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:"" process call create ""`, which is detected via [CAR-2016-03-002](../CAR-2016-03-002). This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine. diff --git a/docs/analytics/CAR-2015-04-001/index.md b/docs/analytics/CAR-2015-04-001/index.md index 5021fabd..02b2afb1 100644 --- a/docs/analytics/CAR-2015-04-001/index.md +++ b/docs/analytics/CAR-2015-04-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

When AT.exe is used to remotely [schedule tasks](https://attack.mitre.org/techniques/T1053), Windows uses named pipes over [SMB](https://en.wikipedia.org/wiki/Server_Message_Block) to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe "ATSVC" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention `C:\Windows\System32\AT`. Unlike [CAR-2013-05-004](../CAR-2013-05-004), this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained [execution](https://attack.mitre.org/tactics/TA0002). This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern `C:\Windows\System32\AT\`. @@ -19,7 +18,7 @@ This pipe activity could be discovered with a network decoder, such as that in w |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate| +|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2015-04-002/index.md b/docs/analytics/CAR-2015-04-002/index.md index 3de33820..fb341a20 100644 --- a/docs/analytics/CAR-2015-04-002/index.md +++ b/docs/analytics/CAR-2015-04-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

An adversary can [move laterally](https://attack.mitre.org/tactics/TA0008) using the `schtasks` command to remotely [schedule tasks/jobs](https://attack.mitre.org/techniques/T1053). Although these events can be detected with command line analytics [CAR-2013-08-001](../CAR-2013-08-001), it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established ([CAR-2014-05-001](../CAR-2014-05-001)), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified. Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats diff --git a/docs/analytics/CAR-2015-07-001/index.md b/docs/analytics/CAR-2015-07-001/index.md index 67c7d653..24371e7c 100644 --- a/docs/analytics/CAR-2015-07-001/index.md +++ b/docs/analytics/CAR-2015-07-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Once a credential dumper like [mimikatz](https://attack.mitre.org/software/S0002) runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of `lsass.exe`. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons. The time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration. diff --git a/docs/analytics/CAR-2016-03-001/index.md b/docs/analytics/CAR-2016-03-001/index.md index 66fd553e..f58cdb2e 100644 --- a/docs/analytics/CAR-2016-03-001/index.md +++ b/docs/analytics/CAR-2016-03-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows, Linux, macOS --- - - +

When entering on a host for the first time, an adversary may try to [discover](https://attack.mitre.org/tactics/TA0007) information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when [establishing persistence](https://attack.mitre.org/tactics/TA0003), [escalating privileges](https://attack.mitre.org/tactics/TA0004), or [moving laterally](https://attack.mitre.org/tactics/TA0008). Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. diff --git a/docs/analytics/CAR-2016-03-002/index.md b/docs/analytics/CAR-2016-03-002/index.md index 0df1cf0f..9cd3fac9 100644 --- a/docs/analytics/CAR-2016-03-002/index.md +++ b/docs/analytics/CAR-2016-03-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\" process call create "\"`. It is possible to also connect via IP address, in which case the string `"\"` would instead look like `IP Address`. Although this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001). diff --git a/docs/analytics/CAR-2016-04-002/index.md b/docs/analytics/CAR-2016-04-002/index.md index be7ca2cc..830b4277 100644 --- a/docs/analytics/CAR-2016-04-002/index.md +++ b/docs/analytics/CAR-2016-04-002/index.md @@ -3,21 +3,23 @@ title: "CAR-2016-04-002: User Activity from Clearing Event Logs" layout: analytic submission_date: 2016/04/14 information_domain: Host -subtypes: Event Records +subtypes: Event Records, Process analytic_type: Anomaly -contributors: MITRE/NSA +contributors: MITRE/NSA, Cyware Labs, Lucas Heiligenstein applicable_platforms: Windows, Linux, macOS --- +

+It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. 4. Attackers may delete .evtx with `del C:\Windows\System32\winevt\logs\Security.evtx` or `Remove-Item C:\Windows\System32\winevt\logs\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. 5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file. - -It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. +#### References +https://ptylu.github.io/content/report/report.html?report=26 ### ATT&CK Detections |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| +|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| ### D3FEND Techniques @@ -28,17 +30,24 @@ It is unlikely that event log data would be cleared during normal operations, an +### Data Model References + +|Object|Action|Field| +|---|---|---| +|[process](/data_model/process) | [create](/data_model/process#create) | [command_line](/data_model/process#command_line) | + ### Implementations -#### Pseudocode +#### PseudoCode for dedicated EventID EventLog deletion (Pseudocode) + When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104. ``` -([log_name] == "Security" and [event_code] in [1100, 1102]) or +([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or ([log_name] == "System" and [event_code] == 104) ``` @@ -57,7 +66,8 @@ When an eventlog is cleared, a new event is created that alerts that the eventlo -#### Logpoint +#### LogPoint version of the above pseudocode. (Logpoint) + LogPoint version of the above pseudocode. @@ -67,13 +77,22 @@ norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="Sys ``` +#### Splunk search - Detecting log clearing with wevtutil (Splunk, Sysmon native) + + +This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs. + + +``` +index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog) +``` + + ### Unit Tests #### Test Case 1 -**Configurations:** Windows 7 - You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog `Clear-EventLog [-LogName] \`. [Additional information here](https://technet.microsoft.com/en-us/library/hh849789.aspx). ``` @@ -81,4 +100,29 @@ Clear-Eventlog Security Clear-Eventlog System ``` +#### Test Case 2 + +Command to not Overwrite old EventLog + +``` +Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite +``` + +#### Test Case 3 + +Cmd and Powershell command to delete EventLog (only possible after turning off the EventLog service) + +``` +del C:\Windows\System32\winevt\logs\Security.evtx +Remove-Item C:\Windows\System32\winevt\logs\Security.evtx +``` + +#### Test Case 4 + +Unregister EventLog source + +``` +Remove-EventLog -LogName Security +``` + diff --git a/docs/analytics/CAR-2016-04-003/index.md b/docs/analytics/CAR-2016-04-003/index.md index da137cea..ea1ed9b3 100644 --- a/docs/analytics/CAR-2016-04-003/index.md +++ b/docs/analytics/CAR-2016-04-003/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE/NSA applicable_platforms: Windows --- - - +

Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. Stopping services events are Windows Event Code 7036. diff --git a/docs/analytics/CAR-2016-04-004/index.md b/docs/analytics/CAR-2016-04-004/index.md index e35b429e..87162383 100644 --- a/docs/analytics/CAR-2016-04-004/index.md +++ b/docs/analytics/CAR-2016-04-004/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE/NSA applicable_platforms: Windows --- - - +

The successful use of [Pass The Hash](https://attack.mitre.org/techniques/T1550/002/) for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account. diff --git a/docs/analytics/CAR-2016-04-005/index.md b/docs/analytics/CAR-2016-04-005/index.md index adb10ba0..1950f251 100644 --- a/docs/analytics/CAR-2016-04-005/index.md +++ b/docs/analytics/CAR-2016-04-005/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE/NSA applicable_platforms: Windows --- - - +

A remote desktop logon, through [RDP](https://attack.mitre.org/techniques/T1021/001), may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. diff --git a/docs/analytics/CAR-2019-04-001/index.md b/docs/analytics/CAR-2019-04-001/index.md index fa51f619..c94f5997 100644 --- a/docs/analytics/CAR-2019-04-001/index.md +++ b/docs/analytics/CAR-2019-04-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool. diff --git a/docs/analytics/CAR-2019-04-002/index.md b/docs/analytics/CAR-2019-04-002/index.md index 994afe6b..bfc4d74b 100644 --- a/docs/analytics/CAR-2019-04-002/index.md +++ b/docs/analytics/CAR-2019-04-002/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: MITRE applicable_platforms: Windows --- - - +

Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually. @@ -17,7 +16,7 @@ Regsvr32 can be used to execute arbitrary code in the context of a Windows signe |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| +|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2019-04-003/index.md b/docs/analytics/CAR-2019-04-003/index.md index 08d03a0c..b2ec47b1 100644 --- a/docs/analytics/CAR-2019-04-003/index.md +++ b/docs/analytics/CAR-2019-04-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS. Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible. @@ -22,7 +21,7 @@ As usual, credit to Roberto Rodriguez and the [ThreatHunter Playbook](https://gi |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| +|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2019-04-004/index.md b/docs/analytics/CAR-2019-04-004/index.md index 010132aa..325ac168 100644 --- a/docs/analytics/CAR-2019-04-004/index.md +++ b/docs/analytics/CAR-2019-04-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz. *This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.* diff --git a/docs/analytics/CAR-2019-07-001/index.md b/docs/analytics/CAR-2019-07-001/index.md index 97734adc..013dfc51 100644 --- a/docs/analytics/CAR-2019-07-001/index.md +++ b/docs/analytics/CAR-2019-07-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: Meric Degirmenci, MITRE applicable_platforms: Windows, Linux, macOS --- - - +

Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions. Note - this analytic references file permissions, which are not currently in the CAR data model. diff --git a/docs/analytics/CAR-2019-07-002/index.md b/docs/analytics/CAR-2019-07-002/index.md index b2a9e3d8..72858330 100644 --- a/docs/analytics/CAR-2019-07-002/index.md +++ b/docs/analytics/CAR-2019-07-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Kaushal Parikh/Cyware Labs, Tony Lambert/Red Canary, MITRE applicable_platforms: Windows --- - - +

[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name. diff --git a/docs/analytics/CAR-2019-08-001/index.md b/docs/analytics/CAR-2019-08-001/index.md index b680c3b2..0d727545 100644 --- a/docs/analytics/CAR-2019-08-001/index.md +++ b/docs/analytics/CAR-2019-08-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Tony Lambert/Red Canary applicable_platforms: Windows --- - - +

The Windows Task Manager may be used to dump the memory space of `lsass.exe` to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting `lsass.exe`, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. This requires filesystem data to determine whether files have been created. diff --git a/docs/analytics/CAR-2019-08-002/index.md b/docs/analytics/CAR-2019-08-002/index.md index 51e635b8..f0fb91fd 100644 --- a/docs/analytics/CAR-2019-08-002/index.md +++ b/docs/analytics/CAR-2019-08-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Tony Lambert/Red Canary applicable_platforms: Windows --- - - +

The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path. This requires filesystem data to determine whether files have been created. diff --git a/docs/analytics/CAR-2020-04-001/index.md b/docs/analytics/CAR-2020-04-001/index.md index 7ea6ad41..34f8426c 100644 --- a/docs/analytics/CAR-2020-04-001/index.md +++ b/docs/analytics/CAR-2020-04-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: applicable_platforms: Windows --- - - +

This analytic has been deprecated in favor of [CAR-2021-01-009](/analytics/CAR-2021-01-009), which covers the same technique with some additional detections. diff --git a/docs/analytics/CAR-2020-05-001/index.md b/docs/analytics/CAR-2020-05-001/index.md index 3f95023f..add50eb2 100644 --- a/docs/analytics/CAR-2020-05-001/index.md +++ b/docs/analytics/CAR-2020-05-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyber National Mission Force (CNMF) applicable_platforms: Windows --- - - +

This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior. The analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion. diff --git a/docs/analytics/CAR-2020-05-003/index.md b/docs/analytics/CAR-2020-05-003/index.md index 0a3d8198..9d095cf7 100644 --- a/docs/analytics/CAR-2020-05-003/index.md +++ b/docs/analytics/CAR-2020-05-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyber National Mission Force (CNMF) applicable_platforms: Windows --- - - +

[LoLBAS](https://lolbas-project.github.io/) are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they're used (this would depend on your environment), but many others are very common and can't be simply alerted on. This analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives. diff --git a/docs/analytics/CAR-2020-08-001/index.md b/docs/analytics/CAR-2020-08-001/index.md index 4b01d575..8f13ef62 100644 --- a/docs/analytics/CAR-2020-08-001/index.md +++ b/docs/analytics/CAR-2020-08-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell. #### References diff --git a/docs/analytics/CAR-2020-08-002/index.md b/docs/analytics/CAR-2020-08-002/index.md index 43592b71..a53a38fb 100644 --- a/docs/analytics/CAR-2020-08-002/index.md +++ b/docs/analytics/CAR-2020-08-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: MITRE applicable_platforms: Windows --- - - +

NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because their contents can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using Living off the Land Binaries and Scripts (LOLBAS). #### References diff --git a/docs/analytics/CAR-2020-09-001/index.md b/docs/analytics/CAR-2020-09-001/index.md index cdd11183..5363b961 100644 --- a/docs/analytics/CAR-2020-09-001/index.md +++ b/docs/analytics/CAR-2020-09-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: Olaf Hartong applicable_platforms: Windows --- - - +

In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. diff --git a/docs/analytics/CAR-2020-09-002/index.md b/docs/analytics/CAR-2020-09-002/index.md index 05870ca6..453072c5 100644 --- a/docs/analytics/CAR-2020-09-002/index.md +++ b/docs/analytics/CAR-2020-09-002/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. diff --git a/docs/analytics/CAR-2020-09-003/index.md b/docs/analytics/CAR-2020-09-003/index.md index c806e823..ec2492d4 100644 --- a/docs/analytics/CAR-2020-09-003/index.md +++ b/docs/analytics/CAR-2020-09-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers. diff --git a/docs/analytics/CAR-2020-09-004/index.md b/docs/analytics/CAR-2020-09-004/index.md index 1b665456..02c9710c 100644 --- a/docs/analytics/CAR-2020-09-004/index.md +++ b/docs/analytics/CAR-2020-09-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality. diff --git a/docs/analytics/CAR-2020-09-005/index.md b/docs/analytics/CAR-2020-09-005/index.md index 8d0eeb27..f5b226a5 100644 --- a/docs/analytics/CAR-2020-09-005/index.md +++ b/docs/analytics/CAR-2020-09-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. diff --git a/docs/analytics/CAR-2020-11-001/index.md b/docs/analytics/CAR-2020-11-001/index.md index 9f6d64ee..881b48b4 100755 --- a/docs/analytics/CAR-2020-11-001/index.md +++ b/docs/analytics/CAR-2020-11-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. diff --git a/docs/analytics/CAR-2020-11-002/index.md b/docs/analytics/CAR-2020-11-002/index.md index f0156be0..11c8bef6 100755 --- a/docs/analytics/CAR-2020-11-002/index.md +++ b/docs/analytics/CAR-2020-11-002/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy. diff --git a/docs/analytics/CAR-2020-11-003/index.md b/docs/analytics/CAR-2020-11-003/index.md index 6325d7c9..5195e8c1 100755 --- a/docs/analytics/CAR-2020-11-003/index.md +++ b/docs/analytics/CAR-2020-11-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic. diff --git a/docs/analytics/CAR-2020-11-004/index.md b/docs/analytics/CAR-2020-11-004/index.md index 1c055207..4a286dcf 100755 --- a/docs/analytics/CAR-2020-11-004/index.md +++ b/docs/analytics/CAR-2020-11-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event. diff --git a/docs/analytics/CAR-2020-11-005/index.md b/docs/analytics/CAR-2020-11-005/index.md index 7d3fc4ac..6b29102e 100755 --- a/docs/analytics/CAR-2020-11-005/index.md +++ b/docs/analytics/CAR-2020-11-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system. @@ -17,7 +16,7 @@ Adversaries may attempt to conceal their tracks by deleting the history of comma |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Command History](https://attack.mitre.org/techniques/T1070/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| +|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Command History](https://attack.mitre.org/techniques/T1070/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2020-11-006/index.md b/docs/analytics/CAR-2020-11-006/index.md index 90c5d954..4531700e 100755 --- a/docs/analytics/CAR-2020-11-006/index.md +++ b/docs/analytics/CAR-2020-11-006/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives. diff --git a/docs/analytics/CAR-2020-11-007/index.md b/docs/analytics/CAR-2020-11-007/index.md index 877c6baf..57d88e48 100755 --- a/docs/analytics/CAR-2020-11-007/index.md +++ b/docs/analytics/CAR-2020-11-007/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event. @@ -17,7 +16,7 @@ Adversaries may use network shares to exfliltrate date; they will then remove th |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Network Share Connection Removal](https://attack.mitre.org/techniques/T1070/005/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| +|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Network Share Connection Removal](https://attack.mitre.org/techniques/T1070/005/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2020-11-008/index.md b/docs/analytics/CAR-2020-11-008/index.md index bace94ce..0915aec5 100755 --- a/docs/analytics/CAR-2020-11-008/index.md +++ b/docs/analytics/CAR-2020-11-008/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio. diff --git a/docs/analytics/CAR-2020-11-009/index.md b/docs/analytics/CAR-2020-11-009/index.md index baf1d569..ef6ee340 100755 --- a/docs/analytics/CAR-2020-11-009/index.md +++ b/docs/analytics/CAR-2020-11-009/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic. @@ -17,7 +16,7 @@ Adversaries may hide malicious code in .chm compiled HTML files. When these file |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Compiled HTML File](https://attack.mitre.org/techniques/T1218/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| +|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Compiled HTML File](https://attack.mitre.org/techniques/T1218/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2020-11-010/index.md b/docs/analytics/CAR-2020-11-010/index.md index 9b29504d..800a6add 100755 --- a/docs/analytics/CAR-2020-11-010/index.md +++ b/docs/analytics/CAR-2020-11-010/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong, MITRE applicable_platforms: Windows --- - - +

CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP. @@ -18,7 +17,7 @@ When CMSTP.exe is seen in combination with an external connection, it is a good |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[CMSTP](https://attack.mitre.org/techniques/T1218/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| +|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[CMSTP](https://attack.mitre.org/techniques/T1218/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2020-11-011/index.md b/docs/analytics/CAR-2020-11-011/index.md index 0c9a1f08..756d02c2 100755 --- a/docs/analytics/CAR-2020-11-011/index.md +++ b/docs/analytics/CAR-2020-11-011/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Olaf Hartong applicable_platforms: Windows --- - - +

Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs. diff --git a/docs/analytics/CAR-2021-01-001/index.md b/docs/analytics/CAR-2021-01-001/index.md index 0e643152..45c95617 100644 --- a/docs/analytics/CAR-2021-01-001/index.md +++ b/docs/analytics/CAR-2021-01-001/index.md @@ -8,8 +8,7 @@ analytic_type: Situational Awareness contributors: Cyware Labs applicable_platforms: Windows, Linux --- - - +

After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc. @@ -17,7 +16,7 @@ After compromising an initial machine, adversaries commonly attempt to laterally |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Network Service Scanning](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Moderate| +|[Network Service Discovery](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Moderate| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2021-01-002/index.md b/docs/analytics/CAR-2021-01-002/index.md index 9404e5bf..42fddd25 100644 --- a/docs/analytics/CAR-2021-01-002/index.md +++ b/docs/analytics/CAR-2021-01-002/index.md @@ -8,8 +8,7 @@ analytic_type: Anomaly contributors: Cyware Labs applicable_platforms: Windows --- - - +

Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands. diff --git a/docs/analytics/CAR-2021-01-003/index.md b/docs/analytics/CAR-2021-01-003/index.md index 3199c4f5..ce77d77c 100644 --- a/docs/analytics/CAR-2021-01-003/index.md +++ b/docs/analytics/CAR-2021-01-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyware Labs applicable_platforms: Windows --- - - +

In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. @@ -17,7 +16,7 @@ In an attempt to clear traces after compromising a machine, threat actors often |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage| |---|---|---|---| -|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| +|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low| ### D3FEND Techniques diff --git a/docs/analytics/CAR-2021-01-004/index.md b/docs/analytics/CAR-2021-01-004/index.md index 394efed8..7aaac00c 100644 --- a/docs/analytics/CAR-2021-01-004/index.md +++ b/docs/analytics/CAR-2021-01-004/index.md @@ -8,8 +8,7 @@ analytic_type: Anomaly contributors: Cyware Labs applicable_platforms: Windows --- - - +

After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. diff --git a/docs/analytics/CAR-2021-01-006/index.md b/docs/analytics/CAR-2021-01-006/index.md index 47ed0621..aeb988af 100644 --- a/docs/analytics/CAR-2021-01-006/index.md +++ b/docs/analytics/CAR-2021-01-006/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyware Labs applicable_platforms: Windows --- - - +

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. diff --git a/docs/analytics/CAR-2021-01-007/index.md b/docs/analytics/CAR-2021-01-007/index.md index 363df542..96f4c91b 100644 --- a/docs/analytics/CAR-2021-01-007/index.md +++ b/docs/analytics/CAR-2021-01-007/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyware Labs applicable_platforms: Windows --- - - +

In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. diff --git a/docs/analytics/CAR-2021-01-008/index.md b/docs/analytics/CAR-2021-01-008/index.md index 4e9e3d6f..6acda7f9 100644 --- a/docs/analytics/CAR-2021-01-008/index.md +++ b/docs/analytics/CAR-2021-01-008/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Cyware Labs applicable_platforms: Windows --- - - +

Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system. diff --git a/docs/analytics/CAR-2021-01-009/index.md b/docs/analytics/CAR-2021-01-009/index.md index f696a43b..da8c6b20 100644 --- a/docs/analytics/CAR-2021-01-009/index.md +++ b/docs/analytics/CAR-2021-01-009/index.md @@ -9,8 +9,7 @@ analytic_type: TTP contributors: Cyware Labs, Lucas Heiligenstein applicable_platforms: Windows --- - - +

After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics. diff --git a/docs/analytics/CAR-2021-02-001/index.md b/docs/analytics/CAR-2021-02-001/index.md index b8d53e57..99a8ff0c 100644 --- a/docs/analytics/CAR-2021-02-001/index.md +++ b/docs/analytics/CAR-2021-02-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Nichols Jasper applicable_platforms: Windows --- - - +

A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. diff --git a/docs/analytics/CAR-2021-02-002/index.md b/docs/analytics/CAR-2021-02-002/index.md index 27084fc6..b19db756 100644 --- a/docs/analytics/CAR-2021-02-002/index.md +++ b/docs/analytics/CAR-2021-02-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Sebastien Damaye applicable_platforms: Windows --- - - +

Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. diff --git a/docs/analytics/CAR-2021-04-001/index.md b/docs/analytics/CAR-2021-04-001/index.md index 13206a2c..791d82ca 100644 --- a/docs/analytics/CAR-2021-04-001/index.md +++ b/docs/analytics/CAR-2021-04-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Sebastien Damaye applicable_platforms: Windows --- - - +

[Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows: "Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names." diff --git a/docs/analytics/CAR-2021-05-001/index.md b/docs/analytics/CAR-2021-05-001/index.md index bcfff05a..6b904bb5 100644 --- a/docs/analytics/CAR-2021-05-001/index.md +++ b/docs/analytics/CAR-2021-05-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity. diff --git a/docs/analytics/CAR-2021-05-002/index.md b/docs/analytics/CAR-2021-05-002/index.md index fe0865a1..45d39dba 100644 --- a/docs/analytics/CAR-2021-05-002/index.md +++ b/docs/analytics/CAR-2021-05-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. diff --git a/docs/analytics/CAR-2021-05-003/index.md b/docs/analytics/CAR-2021-05-003/index.md index 4ab5bbf8..54242317 100644 --- a/docs/analytics/CAR-2021-05-003/index.md +++ b/docs/analytics/CAR-2021-05-003/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. diff --git a/docs/analytics/CAR-2021-05-004/index.md b/docs/analytics/CAR-2021-05-004/index.md index 009eed82..301bea27 100644 --- a/docs/analytics/CAR-2021-05-004/index.md +++ b/docs/analytics/CAR-2021-05-004/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. diff --git a/docs/analytics/CAR-2021-05-005/index.md b/docs/analytics/CAR-2021-05-005/index.md index 0f7b9824..1e5ac427 100644 --- a/docs/analytics/CAR-2021-05-005/index.md +++ b/docs/analytics/CAR-2021-05-005/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. diff --git a/docs/analytics/CAR-2021-05-006/index.md b/docs/analytics/CAR-2021-05-006/index.md index 2b95ce18..3eff2abb 100644 --- a/docs/analytics/CAR-2021-05-006/index.md +++ b/docs/analytics/CAR-2021-05-006/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. diff --git a/docs/analytics/CAR-2021-05-007/index.md b/docs/analytics/CAR-2021-05-007/index.md index da8731a4..ff39d9e5 100644 --- a/docs/analytics/CAR-2021-05-007/index.md +++ b/docs/analytics/CAR-2021-05-007/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. diff --git a/docs/analytics/CAR-2021-05-008/index.md b/docs/analytics/CAR-2021-05-008/index.md index 5c56e905..5056e205 100644 --- a/docs/analytics/CAR-2021-05-008/index.md +++ b/docs/analytics/CAR-2021-05-008/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. diff --git a/docs/analytics/CAR-2021-05-009/index.md b/docs/analytics/CAR-2021-05-009/index.md index 9fffa107..9ca808eb 100644 --- a/docs/analytics/CAR-2021-05-009/index.md +++ b/docs/analytics/CAR-2021-05-009/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. diff --git a/docs/analytics/CAR-2021-05-010/index.md b/docs/analytics/CAR-2021-05-010/index.md index d1b1304b..228547b8 100644 --- a/docs/analytics/CAR-2021-05-010/index.md +++ b/docs/analytics/CAR-2021-05-010/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

This search looks for the creation of local administrator accounts using net.exe. diff --git a/docs/analytics/CAR-2021-05-011/index.md b/docs/analytics/CAR-2021-05-011/index.md index 6e6b6514..6e0a2ef1 100644 --- a/docs/analytics/CAR-2021-05-011/index.md +++ b/docs/analytics/CAR-2021-05-011/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials. diff --git a/docs/analytics/CAR-2021-05-012/index.md b/docs/analytics/CAR-2021-05-012/index.md index cdd017be..fc7e0d6e 100644 --- a/docs/analytics/CAR-2021-05-012/index.md +++ b/docs/analytics/CAR-2021-05-012/index.md @@ -9,8 +9,7 @@ analytic_type: TTP contributors: Splunk Threat Research applicable_platforms: Windows --- - - +

This detection is to identify a creation of "user mode service" where the service file path is located in non-common service folder in windows. diff --git a/docs/analytics/CAR-2021-11-001/index.md b/docs/analytics/CAR-2021-11-001/index.md index bec2ed6f..18eb1c64 100644 --- a/docs/analytics/CAR-2021-11-001/index.md +++ b/docs/analytics/CAR-2021-11-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Lucas Heiligenstein applicable_platforms: Windows --- - - +

Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll. diff --git a/docs/analytics/CAR-2021-11-002/index.md b/docs/analytics/CAR-2021-11-002/index.md index ebd130b7..61b22c50 100644 --- a/docs/analytics/CAR-2021-11-002/index.md +++ b/docs/analytics/CAR-2021-11-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Lucas Heiligenstein applicable_platforms: Windows --- - - +

Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload. diff --git a/docs/analytics/CAR-2021-12-001/index.md b/docs/analytics/CAR-2021-12-001/index.md index 22eb641d..b7078c65 100644 --- a/docs/analytics/CAR-2021-12-001/index.md +++ b/docs/analytics/CAR-2021-12-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Lucas Heiligenstein applicable_platforms: Windows --- - - +

Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log. diff --git a/docs/analytics/CAR-2021-12-002/index.md b/docs/analytics/CAR-2021-12-002/index.md index bb1a9467..53fcf621 100644 --- a/docs/analytics/CAR-2021-12-002/index.md +++ b/docs/analytics/CAR-2021-12-002/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Lucas Heiligenstein applicable_platforms: Windows --- - - +

Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. diff --git a/docs/analytics/CAR-2022-03-001/index.md b/docs/analytics/CAR-2022-03-001/index.md index 0b100f86..a10887d6 100644 --- a/docs/analytics/CAR-2022-03-001/index.md +++ b/docs/analytics/CAR-2022-03-001/index.md @@ -8,8 +8,7 @@ analytic_type: TTP contributors: Lucas Heiligenstein applicable_platforms: Windows --- - - +

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. There are different ways to perform this attack. 1. The first one is to create the Registry Key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt`. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise). 2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start`, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md index 3ecf4011..e1445b68 100644 --- a/docs/analytics/by_technique/index.md +++ b/docs/analytics/by_technique/index.md @@ -28,6 +28,31 @@ permalink: /analytics/by_technique T1003.002: Security Account Manager + + T1007: System Service Discovery + (N/A - technique only) + + + + T1010: Application Window Discovery + (N/A - technique only) + + + + T1012: Query Registry + (N/A - technique only) + + + + T1016: System Network Configuration Discovery + (N/A - technique only) + + + + T1018: Remote System Discovery + (N/A - technique only) + + T1021: Remote Services (N/A - technique only) @@ -49,6 +74,16 @@ permalink: /analytics/by_technique T1021.006: Windows Remote Management + + T1029: Scheduled Transfer + (N/A - technique only) + + + + T1033: System Owner/User Discovery + (N/A - technique only) + + T1036: Masquerading (N/A - technique only) @@ -67,6 +102,31 @@ permalink: /analytics/by_technique T1037.001: Logon Script (Windows) + + T1039: Data from Network Shared Drive + (N/A - technique only) + + + + T1040: Network Sniffing + (N/A - technique only) + + + + T1046: Network Service Discovery + (N/A - technique only) + + + + T1047: Windows Management Instrumentation + (N/A - technique only) + + + + T1049: System Network Connections Discovery + (N/A - technique only) + + T1053: Scheduled Task/Job @@ -75,7 +135,7 @@ permalink: /analytics/by_technique - T1053.002: At (Windows) + T1053.002: At @@ -89,6 +149,11 @@ permalink: /analytics/by_technique T1055.001: Dynamic-link Library Injection + + T1057: Process Discovery + (N/A - technique only) + + T1059: Command and Scripting Interpreter (N/A - technique only) @@ -106,6 +171,11 @@ permalink: /analytics/by_technique T1059.001: PowerShell + + T1068: Exploitation for Privilege Escalation + (N/A - technique only) + + T1069: Permission Groups Discovery @@ -118,7 +188,7 @@ permalink: /analytics/by_technique - T1070: Indicator Removal on Host + T1070: Indicator Removal T1070.003: Clear Command History @@ -143,6 +213,11 @@ permalink: /analytics/by_technique T1078.003: Local Accounts + + T1082: System Information Discovery + (N/A - technique only) + + T1087: Account Discovery @@ -154,6 +229,21 @@ permalink: /analytics/by_technique T1087.002: Domain Account + + T1098: Account Manipulation + (N/A - technique only) + + + + T1105: Ingress Tool Transfer + (N/A - technique only) + + + + T1112: Modify Registry + (N/A - technique only) + + T1127: Trusted Developer Utilities Proxy Execution T1127.001: MSBuild @@ -164,13 +254,28 @@ permalink: /analytics/by_technique T1136.001: Local Account + + T1140: Deobfuscate/Decode Files or Information + (N/A - technique only) + + + + T1187: Forced Authentication + (N/A - technique only) + + + + T1197: BITS Jobs + (N/A - technique only) + + T1204: User Execution T1204.002: Malicious File - T1218: Signed Binary Proxy Execution + T1218: System Binary Proxy Execution T1218.010: Regsvr32 @@ -199,6 +304,11 @@ permalink: /analytics/by_technique T1222.002: Linux and Mac File and Directory Permissions Modification + + T1490: Inhibit System Recovery + (N/A - technique only) + + T1505: Server Software Component T1505.003: Web Shell @@ -257,7 +367,11 @@ permalink: /analytics/by_technique - T1548: Abuse Elevation Control Mechanism + T1548: Abuse Elevation Control Mechanism + (N/A - technique only) + + + T1548.002: Bypass User Account Control @@ -323,6 +437,11 @@ permalink: /analytics/by_technique T1569.002: Service Execution + + T1570: Lateral Tool Transfer + (N/A - technique only) + + T1574: Hijack Execution Flow diff --git a/docs/analytics/index.md b/docs/analytics/index.md index 80989bb7..ad04a76f 100644 --- a/docs/analytics/index.md +++ b/docs/analytics/index.md @@ -207,7 +207,7 @@ permalink: /analytics/ CAR-2014-03-006 RunDLL32.exe monitoring March 28 2014 - + Dnif, Logpoint, Pseudocode Windows @@ -351,8 +351,8 @@ permalink: /analytics/ CAR-2016-04-002 User Activity from Clearing Event Logs April 14 2016 - - Logpoint, Pseudocode, Sigma + + Logpoint, Pseudocode, Sigma, Splunk Windows, Linux, macOS @@ -391,7 +391,7 @@ permalink: /analytics/ CAR-2019-04-002 Generic Regsvr32 April 24 2019 - + Pseudocode, Splunk Windows @@ -399,7 +399,7 @@ permalink: /analytics/ CAR-2019-04-003 Squiblydoo April 24 2019 - + Eql, Logpoint, Psuedocode, Splunk Windows @@ -559,7 +559,7 @@ permalink: /analytics/ CAR-2020-11-005 Clear Powershell Console Command History November 30 2020 - + Logpoint, Pseudocode, Splunk Windows @@ -575,7 +575,7 @@ permalink: /analytics/ CAR-2020-11-007 Network Share Connection Removal November 30 2020 - + Logpoint, Pseudocode, Splunk Windows @@ -591,7 +591,7 @@ permalink: /analytics/ CAR-2020-11-009 Compiled HTML Access November 30 2020 - + Logpoint, Pseudocode, Splunk Windows @@ -599,7 +599,7 @@ permalink: /analytics/ CAR-2020-11-010 CMSTP November 30 2020 - + Logpoint, Pseudocode, Splunk Windows @@ -615,7 +615,7 @@ permalink: /analytics/ CAR-2021-01-001 Identifying Port Scanning Activity October 23 2020 - + Splunk Windows, Linux @@ -631,7 +631,7 @@ permalink: /analytics/ CAR-2021-01-003 Clearing Windows Logs with Wevtutil December 02 2020 - + Splunk Windows diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json index a363f7e5..02432b5c 100644 --- a/docs/car_attack/car_attack.json +++ b/docs/car_attack/car_attack.json @@ -5,23 +5,22 @@ "domain": "mitre-enterprise", "techniques": [ { - "techniqueID": "T1490", + "techniqueID": "T1003", "color": "#c6dbef", - "comment": "CAR-2020-04-001: Shadow Copy Deletion", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1003", + "techniqueID": "T1003.003", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil", - "enabled": true, - "showSubtechniques": true + "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS", + "enabled": true }, { "techniqueID": "T1003.001", "color": "#c6dbef", - "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS", "enabled": true }, { @@ -34,10 +33,36 @@ { "techniqueID": "T1105", "color": "#c6dbef", - "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments", + "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1559", + "color": "#c6dbef", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1559.002", + "color": "#c6dbef", + "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit", + "enabled": true + }, + { + "techniqueID": "T1606", + "color": "#c6dbef", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1606.002", + "color": "#c6dbef", + "comment": "CAR-2021-05-008: Certutil exe certificate extraction", + "enabled": true + }, { "techniqueID": "T1187", "color": "#c6dbef", @@ -48,20 +73,33 @@ { "techniqueID": "T1053", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "enabled": true, "showSubtechniques": true }, { "techniqueID": "T1053.005", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", + "enabled": true + }, + { + "techniqueID": "T1070", + "color": "#c6dbef", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1070.003", + "color": "#c6dbef", + "comment": "CAR-2020-11-005: Clear Powershell Console Command History", "enabled": true }, { "techniqueID": "T1218", "color": "#c6dbef", - "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo", + "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP", "enabled": true, "showSubtechniques": true }, @@ -84,10 +122,17 @@ "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1197", + "color": "#c6dbef", + "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File", + "enabled": true, + "showSubtechniques": true + }, { "techniqueID": "T1546", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver", "enabled": true, "showSubtechniques": true }, @@ -97,6 +142,12 @@ "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon", "enabled": true }, + { + "techniqueID": "T1218.001", + "color": "#c6dbef", + "comment": "CAR-2020-11-009: Compiled HTML Access", + "enabled": true + }, { "techniqueID": "T1021.001", "color": "#c6dbef", @@ -106,7 +157,7 @@ { "techniqueID": "T1059", "color": "#c6dbef", - "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions", + "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings", "enabled": true, "showSubtechniques": true }, @@ -116,10 +167,29 @@ "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd", "enabled": true }, + { + "techniqueID": "T1569", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1569.001", + "color": "#c6dbef", + "comment": "CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true + }, + { + "techniqueID": "T1569.002", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path", + "enabled": true + }, { "techniqueID": "T1570", "color": "#c6dbef", - "comment": "CAR-2014-03-001: SMB Write Request - NamedPipes", + "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes", "enabled": true, "showSubtechniques": true }, @@ -139,7 +209,7 @@ { "techniqueID": "T1574", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "enabled": true, "showSubtechniques": true }, @@ -150,16 +220,16 @@ "enabled": true }, { - "techniqueID": "T1569", + "techniqueID": "T1127", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1569.002", + "techniqueID": "T1127.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services", + "comment": "CAR-2020-11-008: MSBuild and msxsl", "enabled": true }, { @@ -194,16 +264,69 @@ "comment": "CAR-2016-04-004: Successful Local Account Login", "enabled": true }, + { + "techniqueID": "T1548", + "color": "#c6dbef", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation", + "enabled": true, + "showSubtechniques": true + }, { "techniqueID": "T1021.002", "color": "#c6dbef", "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity", "enabled": true }, + { + "techniqueID": "T1574.001", + "color": "#c6dbef", + "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0", + "enabled": true + }, + { + "techniqueID": "T1112", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1055", + "color": "#c6dbef", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1055.012", + "color": "#c6dbef", + "comment": "CAR-2020-11-004: Processes Started From Irregular Parent", + "enabled": true + }, + { + "techniqueID": "T1140", + "color": "#c6dbef", + "comment": "CAR-2021-05-009: CertUtil With Decode Argument", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1562", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1562.001", + "color": "#c6dbef", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt", + "enabled": true + }, { "techniqueID": "T1036", "color": "#c6dbef", - "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names", + "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading", "enabled": true, "showSubtechniques": true }, @@ -253,20 +376,20 @@ { "techniqueID": "T1069", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true, "showSubtechniques": true }, { "techniqueID": "T1069.001", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { "techniqueID": "T1069.002", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery", "enabled": true }, { @@ -276,17 +399,10 @@ "enabled": true, "showSubtechniques": true }, - { - "techniqueID": "T1112", - "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry", - "enabled": true, - "showSubtechniques": true - }, { "techniqueID": "T1574.011", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true }, { @@ -361,27 +477,14 @@ { "techniqueID": "T1046", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true, - "showSubtechniques": true - }, - { - "techniqueID": "T1562", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity", "enabled": true, "showSubtechniques": true }, - { - "techniqueID": "T1562.001", - "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", - "enabled": true - }, { "techniqueID": "T1562.006", "color": "#c6dbef", - "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded", "enabled": true }, { @@ -400,17 +503,23 @@ { "techniqueID": "T1012", "color": "#c6dbef", - "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands", + "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1089", + "techniqueID": "T1204", "color": "#c6dbef", - "comment": "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services", + "comment": "CAR-2021-05-002: Batch File Write to System32", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1204.002", + "color": "#c6dbef", + "comment": "CAR-2021-05-002: Batch File Write to System32", + "enabled": true + }, { "techniqueID": "T1218.011", "color": "#c6dbef", @@ -418,11 +527,18 @@ "enabled": true }, { - "techniqueID": "T1003.003", + "techniqueID": "T1055.001", "color": "#c6dbef", - "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject", "enabled": true }, + { + "techniqueID": "T1040", + "color": "#c6dbef", + "comment": "CAR-2020-11-002: Local Network Sniffing", + "enabled": true, + "showSubtechniques": true + }, { "techniqueID": "T1222", "color": "#c6dbef", @@ -443,12 +559,24 @@ "enabled": true }, { - "techniqueID": "T1551", + "techniqueID": "T1547", "color": "#c6dbef", - "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1547.001", + "color": "#c6dbef", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'", + "enabled": true + }, + { + "techniqueID": "T1070.001", + "color": "#c6dbef", + "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil", + "enabled": true + }, { "techniqueID": "T1059.001", "color": "#c6dbef", @@ -456,16 +584,29 @@ "enabled": true }, { - "techniqueID": "T1547", + "techniqueID": "T1490", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell", + "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1547.001", + "techniqueID": "T1564", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1564.004", + "color": "#c6dbef", + "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS", + "enabled": true + }, + { + "techniqueID": "T1546.015", + "color": "#c6dbef", + "comment": "CAR-2020-09-002: Component Object Model Hijacking", "enabled": true }, { @@ -477,7 +618,7 @@ { "techniqueID": "T1547.004", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify", "enabled": true }, { @@ -513,20 +654,20 @@ { "techniqueID": "T1546.010", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs", "enabled": true }, { "techniqueID": "T1037", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true, "showSubtechniques": true }, { "techniqueID": "T1037.001", "color": "#c6dbef", - "comment": "CAR-2013-01-002: Autorun Differences", + "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts", "enabled": true }, { @@ -542,6 +683,12 @@ "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software", "enabled": true }, + { + "techniqueID": "T1562.002", + "color": "#c6dbef", + "comment": "CAR-2022-03-001: Disable Windows Event Logging", + "enabled": true + }, { "techniqueID": "T1039", "color": "#c6dbef", @@ -550,29 +697,98 @@ "showSubtechniques": true }, { - "techniqueID": "T1055", + "techniqueID": "T1553", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true, "showSubtechniques": true }, { - "techniqueID": "T1055.001", + "techniqueID": "T1553.004", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library", + "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store", "enabled": true }, { - "techniqueID": "T1548", + "techniqueID": "T1036.005", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass", + "comment": "CAR-2021-04-001: Common Windows Process Masquerading", + "enabled": true + }, + { + "techniqueID": "T1546.002", + "color": "#c6dbef", + "comment": "CAR-2020-11-011: Registry Edit from Screensaver", + "enabled": true + }, + { + "techniqueID": "T1070.005", + "color": "#c6dbef", + "comment": "CAR-2020-11-007: Network Share Connection Removal", + "enabled": true + }, + { + "techniqueID": "T1068", + "color": "#c6dbef", + "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "enabled": true, "showSubtechniques": true }, + { + "techniqueID": "T1136", + "color": "#c6dbef", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1136.001", + "color": "#c6dbef", + "comment": "CAR-2021-05-010: Create local admin accounts using net exe", + "enabled": true + }, { "techniqueID": "T1548.002", "color": "#c6dbef", - "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass", + "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC", + "enabled": true + }, + { + "techniqueID": "T1552", + "color": "#c6dbef", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1552.001", + "color": "#c6dbef", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "enabled": true + }, + { + "techniqueID": "T1552.002", + "color": "#c6dbef", + "comment": "CAR-2020-09-004: Credentials in Files & Registry", + "enabled": true + }, + { + "techniqueID": "T1505", + "color": "#c6dbef", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "enabled": true, + "showSubtechniques": true + }, + { + "techniqueID": "T1505.003", + "color": "#c6dbef", + "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree", + "enabled": true + }, + { + "techniqueID": "T1218.003", + "color": "#c6dbef", + "comment": "CAR-2020-11-010: CMSTP", "enabled": true } ] diff --git a/docs/data/analytics.json b/docs/data/analytics.json index 251702c6..2ee43fdb 100644 --- a/docs/data/analytics.json +++ b/docs/data/analytics.json @@ -1 +1 @@ -{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Medium"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569.002", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Detecting Shadow Copy Deletion via Vssadmin.exe", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]} \ No newline at end of file +{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]} \ No newline at end of file diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md new file mode 100644 index 00000000..de2e70bd --- /dev/null +++ b/docs/sensors/auditd_2.8.md @@ -0,0 +1,136 @@ +--- +title: "auditd (2.8)" +--- + +- Manufacturer: Red Hat +- Version: 2.8 +- Website: https://people.redhat.com/sgrubb/audit/ + + +## Description +auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk + + + + +## Data Model Coverage + +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `delete` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `modify` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +| `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| + +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + +### [flow](../data_model/flow) + +| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `end` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| +| `message` | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `start` | | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓| + +### [process](../data_model/process) + +| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `access` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓| +| `terminate` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + +## Analytic Coverage + + - [CAR-2013-02-003: Processes Spawning cmd.exe](../analytics/CAR-2013-02-003) + - [CAR-2013-03-001: Reg.exe called from Command Shell](../analytics/CAR-2013-03-001) + - [CAR-2013-04-002: Quick execution of a series of suspicious commands](../analytics/CAR-2013-04-002) + - [CAR-2013-05-002: Suspicious Run Locations](../analytics/CAR-2013-05-002) + - [CAR-2013-05-004: Execution with AT](../analytics/CAR-2013-05-004) + - [CAR-2013-05-005: SMB Copy and Execution](../analytics/CAR-2013-05-005) + - [CAR-2013-05-009: Running executables with same hash and different names](../analytics/CAR-2013-05-009) + - [CAR-2013-07-001: Suspicious Arguments](../analytics/CAR-2013-07-001) + - [CAR-2013-07-002: RDP Connection Detection](../analytics/CAR-2013-07-002) + - [CAR-2013-07-005: Command Line Usage of Archiving Software](../analytics/CAR-2013-07-005) + - [CAR-2013-08-001: Execution with schtasks](../analytics/CAR-2013-08-001) + - [CAR-2014-02-001: Service Binary Modifications](../analytics/CAR-2014-02-001) + - [CAR-2014-03-001: SMB Write Request - NamedPipes](../analytics/CAR-2014-03-001) + - [CAR-2014-03-005: Remotely Launched Executables via Services](../analytics/CAR-2014-03-005) + - [CAR-2014-03-006: RunDLL32.exe monitoring](../analytics/CAR-2014-03-006) + - [CAR-2014-04-003: Powershell Execution](../analytics/CAR-2014-04-003) + - [CAR-2014-05-001: RPC Activity](../analytics/CAR-2014-05-001) + - [CAR-2014-05-002: Services launching Cmd](../analytics/CAR-2014-05-002) + - [CAR-2014-07-001: Service Search Path Interception](../analytics/CAR-2014-07-001) + - [CAR-2014-11-002: Outlier Parents of Cmd](../analytics/CAR-2014-11-002) + - [CAR-2014-11-003: Debuggers for Accessibility Applications](../analytics/CAR-2014-11-003) + - [CAR-2014-11-004: Remote PowerShell Sessions](../analytics/CAR-2014-11-004) + - [CAR-2014-11-006: Windows Remote Management (WinRM)](../analytics/CAR-2014-11-006) + - [CAR-2014-11-008: Command Launched from WinLogon](../analytics/CAR-2014-11-008) + - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) + - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) + - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) + - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) + - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) + - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) + - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) + - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) + - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) + - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) + - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) + - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) + - [CAR-2020-09-002: Component Object Model Hijacking](../analytics/CAR-2020-09-002) + - [CAR-2020-09-003: Indicator Blocking - Driver Unloaded](../analytics/CAR-2020-09-003) + - [CAR-2020-09-004: Credentials in Files & Registry](../analytics/CAR-2020-09-004) + - [CAR-2020-09-005: AppInit DLLs](../analytics/CAR-2020-09-005) + - [CAR-2020-11-001: Boot or Logon Initialization Scripts](../analytics/CAR-2020-11-001) + - [CAR-2020-11-002: Local Network Sniffing](../analytics/CAR-2020-11-002) + - [CAR-2020-11-003: DLL Injection with Mavinject](../analytics/CAR-2020-11-003) + - [CAR-2020-11-004: Processes Started From Irregular Parent](../analytics/CAR-2020-11-004) + - [CAR-2020-11-005: Clear Powershell Console Command History](../analytics/CAR-2020-11-005) + - [CAR-2020-11-006: Local Permission Group Discovery](../analytics/CAR-2020-11-006) + - [CAR-2020-11-007: Network Share Connection Removal](../analytics/CAR-2020-11-007) + - [CAR-2020-11-008: MSBuild and msxsl](../analytics/CAR-2020-11-008) + - [CAR-2020-11-009: Compiled HTML Access](../analytics/CAR-2020-11-009) + - [CAR-2020-11-010: CMSTP](../analytics/CAR-2020-11-010) + - [CAR-2020-11-011: Registry Edit from Screensaver](../analytics/CAR-2020-11-011) + - [CAR-2021-01-001: Identifying Port Scanning Activity](../analytics/CAR-2021-01-001) + - [CAR-2021-01-002: Unusually Long Command Line Strings](../analytics/CAR-2021-01-002) + - [CAR-2021-01-003: Clearing Windows Logs with Wevtutil](../analytics/CAR-2021-01-003) + - [CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe](../analytics/CAR-2021-01-004) + - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) + - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) + - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) + - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001) + - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) + - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) + - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001) + - [CAR-2021-05-002: Batch File Write to System32](../analytics/CAR-2021-05-002) + - [CAR-2021-05-003: BCDEdit Failure Recovery Modification](../analytics/CAR-2021-05-003) + - [CAR-2021-05-004: BITS Job Persistence](../analytics/CAR-2021-05-004) + - [CAR-2021-05-005: BITSAdmin Download File](../analytics/CAR-2021-05-005) + - [CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments](../analytics/CAR-2021-05-006) + - [CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments](../analytics/CAR-2021-05-007) + - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) + - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) + - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) + - [N/A](../analytics/N/A) diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md index 81338f9d..2cf2b3de 100644 --- a/docs/sensors/autoruns_13.98.md +++ b/docs/sensors/autoruns_13.98.md @@ -14,18 +14,6 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi ## Data Model Coverage -### [file](../data_model/file) - -| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | -| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | - ### [registry](../data_model/registry) | | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | @@ -45,6 +33,18 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi | `start` | | | | | | | | | | | | `stop` | | | | | | | | | | | +### [file](../data_model/file) + +| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `acl_modify` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `delete` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | | +| `read` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `timestomp` | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | + @@ -62,3 +62,7 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-05-002: Batch File Write to System32](../analytics/CAR-2021-05-002) - [CAR-2021-05-012: Create Service In Suspicious File Path](../analytics/CAR-2021-05-012) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) diff --git a/docs/sensors/index.md b/docs/sensors/index.md index 6f183ead..c8d34e09 100755 --- a/docs/sensors/index.md +++ b/docs/sensors/index.md @@ -5,9 +5,10 @@ title: "Sensors" Sensors are tools that collect data that can be used to run analytics. CAR currently has a limited number of sensors mapped to the CAR [Data Model](../data_model). They are: +* [auditd (2.8)](auditd_2.8) * [Autoruns (13.98)](autoruns_13.98) +* [osquery (4.1.2)](osquery_4.1.2) +* [osquery (4.6.0)](osquery_4.6.0) * [Sysmon (10.4)](sysmon_10.4) * [Sysmon (11.0)](sysmon_11.0) -* [Sysmon (13.0)](sysmon_13) -* [OSQuery (4.1.2)](osquery_4.1.2) -* [OSQuery (4.6.0)](osquery_4.6.0) +* [Sysmon (13)](sysmon_13) \ No newline at end of file diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md index bdb46448..9c5d21f5 100755 --- a/docs/sensors/osquery_4.1.2.md +++ b/docs/sensors/osquery_4.1.2.md @@ -14,13 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [file](../data_model/file) | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | @@ -33,6 +26,13 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓| +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -81,13 +81,13 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) - - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001) - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) @@ -113,7 +113,7 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) - - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001) - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) @@ -127,4 +127,9 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) - [N/A](../analytics/N/A) diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md index b044a54c..7efe527e 100755 --- a/docs/sensors/osquery_4.6.0.md +++ b/docs/sensors/osquery_4.6.0.md @@ -14,13 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T ## Data Model Coverage -### [driver](../data_model/driver) - -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | -|---|---|---|---|---|---|---|---|---|---|---| -| `load` | | | |✓|✓|✓| |✓|✓| | | -| `unload` | | | | | | | | | | | | - ### [file](../data_model/file) | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` | @@ -33,6 +26,13 @@ osquery exposes an operating system as a high-performance relational database. T | `timestomp` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| | `write` | | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓| +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | | | |✓|✓|✓| |✓|✓| | | +| `unload` | | | | | | | | | | | | + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -81,13 +81,13 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) - - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001) - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) @@ -113,7 +113,7 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) - - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001) - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) @@ -127,4 +127,9 @@ osquery exposes an operating system as a high-performance relational database. T - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) - [N/A](../analytics/N/A) diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md index 088dcab9..0bbcec26 100755 --- a/docs/sensors/sysmon_10.4.md +++ b/docs/sensors/sysmon_10.4.md @@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [driver](../data_model/driver) +### [thread](../data_model/thread) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | ### [file](../data_model/file) @@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | - -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - @@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) @@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) - - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001) - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) @@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) - - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001) @@ -136,3 +136,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md index 6d8b7af8..bf5db123 100755 --- a/docs/sensors/sysmon_11.0.md +++ b/docs/sensors/sysmon_11.0.md @@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [driver](../data_model/driver) +### [thread](../data_model/thread) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓| |✓| -| `unload` | | | | | | | | | | | | +| `add` | |✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | | | | | | | | | | | | +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | | | | | | | | | | | | ### [file](../data_model/file) @@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓| |✓| +| `unload` | | | | | | | | | | | | + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | |✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | | | | | | | | | | | | -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | | | | | | | | | | | | - -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - @@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) @@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) - - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001) - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) @@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) - - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001) @@ -137,3 +137,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md index 640337b1..40ed48d5 100644 --- a/docs/sensors/sysmon_13.md +++ b/docs/sensors/sysmon_13.md @@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of ## Data Model Coverage -### [driver](../data_model/driver) +### [thread](../data_model/thread) -| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | +| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | +| `suspend` | | | | | | | | | | | | | | | | +| `terminate` | | | | | | | | | | | | | | | | + +### [registry](../data_model/registry) + +| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | |---|---|---|---|---|---|---|---|---|---|---| -| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| -| `unload` | | | | | | | | | | | | +| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| +| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| +| `remove` | |✓|✓| |✓|✓| |✓| | |✓| +| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| ### [file](../data_model/file) @@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `timestomp` | | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | | | `write` | | | | | | | | | | | | | | | | | | | | | | | | | | | +### [driver](../data_model/driver) + +| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | +|---|---|---|---|---|---|---|---|---|---|---| +| `load` | |✓| |✓|✓| | |✓|✓|✓|✓| +| `unload` | | | | | | | | | | | | + ### [flow](../data_model/flow) | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` | @@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of | `create` | | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓| | `terminate` | | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | | -### [registry](../data_model/registry) - -| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` | -|---|---|---|---|---|---|---|---|---|---|---| -| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓| -| `key_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| -| `remove` | |✓|✓| |✓|✓| |✓| | |✓| -| `value_edit` | |✓|✓| |✓|✓|✓|✓| | |✓| - -### [thread](../data_model/thread) - -| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | -| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | | -| `suspend` | | | | | | | | | | | | | | | | -| `terminate` | | | | | | | | | | | | | | | | - @@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001) - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001) - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002) + - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002) - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001) - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002) - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003) @@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002) - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001) - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002) - - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001) - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001) - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002) - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001) @@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006) - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007) - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008) - - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009) + - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009) - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002) - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001) - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001) @@ -137,3 +137,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008) - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009) - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010) + - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001) + - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002) + - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001) + - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002) + - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001) diff --git a/scripts/generate_analytics.py b/scripts/generate_analytics.py index f1c8c3c8..31d9d383 100755 --- a/scripts/generate_analytics.py +++ b/scripts/generate_analytics.py @@ -184,7 +184,7 @@ none_sub_str = "(N/A - technique only)" else: none_str = "(N/A - see below)" - if len(sub_bucket.keys()) > 1: + if len(sub_bucket.keys()) > 1 or len(none_bucket) > 0: num_rows = len(sub_bucket.keys()) + 1 tid_url = "https://attack.mitre.org/techniques/{0}/".format(tid) tid_link = '{1}: {2}'.format(tid_url,tid,techniques[tid]) @@ -192,7 +192,7 @@ if none_sub_str == "(N/A - technique only)": subtechnique_table += tr_template.format(rowspan,tid_link,none_sub_str,none_str) else: - subtechnique_table += tr_tech_template.format(rowspan,tid_link) + subtechnique_table += tr_tech_template.format(rowspan,tid_link) # Write the subtechniques to the table if sub_bucket: for sub_tid, car_list in sub_bucket.items(): @@ -210,11 +210,9 @@ sub_link = '{1}: {2}'.format(sub_url,sub_tid,techniques[sub_tid]) subtechnique_table += tr_template.format("",tid_link,sub_link,sub_str) elif len(sub_bucket.keys()) == 1: - tid_url = "https://attack.mitre.org/techniques/{0}/".format(tid) sub_url = "https://attack.mitre.org/techniques/{0}/{1}/".format(sub_tid.split(".")[0],sub_tid.split(".")[1]) - tid_link = '{1}: {2}'.format(tid_url,tid,techniques[tid]) sub_link = '{1}: {2}'.format(sub_url,sub_tid,techniques[sub_tid]) - subtechnique_table += tr_template.format("",tid_link,sub_link,sub_str) + subtechnique_table += tr_sub_template.format(sub_link,sub_str) else: sub_url = "https://attack.mitre.org/techniques/{0}/{1}/".format(sub_tid.split(".")[0],sub_tid.split(".")[1]) sub_link = '{1}: {2}'.format(sub_url,sub_tid,techniques[sub_tid]) diff --git a/scripts/generate_attack_nav_layer.py b/scripts/generate_attack_nav_layer.py index 0fba73be..4f8cb3d3 100644 --- a/scripts/generate_attack_nav_layer.py +++ b/scripts/generate_attack_nav_layer.py @@ -6,7 +6,7 @@ import glob import yaml import sys -from os import path +from os import path, makedirs # Static ATT&CK Navigator layer JSON fields VERSION = "3.0" @@ -67,6 +67,7 @@ def addMapping(technique, name, attack_mappings): layer_json["techniques"].append(technique) # Output JSON to docs directory +makedirs('../docs/car_attack', exist_ok=True) outfile = open("../docs/car_attack/car_attack.json","w") json.dump(layer_json, outfile, indent=4) outfile.close() diff --git a/scripts/generate_sensors.py b/scripts/generate_sensors.py index cc2b38aa..5200fcf7 100755 --- a/scripts/generate_sensors.py +++ b/scripts/generate_sensors.py @@ -1,5 +1,7 @@ """This script generates the sensor portion of the site, including coverage, for each YAML sensor mapping file. +NOTE: This script should be run after `generate_analytics.py` as it is +dependent on files in /docs/analytics existing and being up to date. """ import json @@ -181,9 +183,38 @@ def generateSensorsForAnalytics(analytics, sensor_dict): sensor_template = Template(open('sensor_template.md').read()) # Generate the sensor page for each sensor +makedirs('../docs/sensors', exist_ok=True) for sensor in mappings: sensor_tag = sensor['sensor_name'] + "_" + str(sensor['sensor_version']) # Generate the markdown markdown = sensor_template.render(sensor=sensor) # Save to the sensors directory open('../docs/sensors/{}.md'.format(sensor_tag.lower()), 'w').write(markdown) + +# Generate index file +index_content = '''--- +title: "Sensors" +--- + +Sensors are tools that collect data that can be used to run analytics. + +CAR currently has a limited number of sensors mapped to the CAR [Data Model](../data_model). They are: +{}'''.format( + '\n'.join( + ( + '* [{sensor_name} ({sensor_version})]({sensor_name_lower}_{sensor_version})'.format( + sensor_name=sensor['sensor_name'], + sensor_name_lower=sensor['sensor_name'].lower(), + sensor_version=sensor['sensor_version'] + ) for sensor in sorted( + mappings, + key=lambda sensor: ( + sensor['sensor_name'].lower(), + sensor['sensor_version'] + ) + ) + ) + ) + ) +with open('../docs/sensors/index.md', 'w') as index_file: + index_file.write(index_content) diff --git a/docs/sensors/auditd_2.8.yaml b/sensors/auditd_2.8.yaml similarity index 94% rename from docs/sensors/auditd_2.8.yaml rename to sensors/auditd_2.8.yaml index 5e9f50fa..2431fbfe 100755 --- a/docs/sensors/auditd_2.8.yaml +++ b/sensors/auditd_2.8.yaml @@ -3,7 +3,8 @@ sensor_name: auditd sensor_version: 2.8 sensor_developer: Red Hat sensor_url: 'https://people.redhat.com/sgrubb/audit/' -sensor_description: 'auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk' +sensor_description: | + auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk mappings: - object: file action: create @@ -133,4 +134,4 @@ mappings: - value - data other_coverage: - - 'N/A' \ No newline at end of file + - 'N/A'