diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml new file mode 100644 index 00000000..ae757313 --- /dev/null +++ b/.github/workflows/lint-yaml.yml @@ -0,0 +1,110 @@ +name: Lint the yaml + +on: + pull_request_target: + push: + branches: [master] + +jobs: + yamllint: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + cache: 'pip' + - name: Install script dependencies + run: pip install -r ./scripts/requirements.txt + - name: Run yamllint + run: yamllint analytics/ data_model/ sensors/ + analysis-schema: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + cache: 'pip' + - name: Install script dependencies + run: pip install -r ./scripts/requirements.txt + - name: Validate against analysis schema + run: yamale -s scripts/analytic_schema.yaml --no-strict analytics/ + datamodel-schema: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + cache: 'pip' + - name: Install script dependencies + run: pip install -r ./scripts/requirements.txt + - name: Validate against data model schema + run: yamale -s scripts/datamodel_schema.yaml --no-strict data_model/ + sensor-schema: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + cache: 'pip' + - name: Install script dependencies + run: pip install -r ./scripts/requirements.txt + - name: Validate against sensor schema + run: yamale -s scripts/sensor_schema.yaml --no-strict sensors/ + filetype-is-yaml: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Files should be .yaml not .yml and should also be actual files (ex. not directories) + shell: bash + run: find analytics data_model sensors -mindepth 1 -maxdepth 1 \( ! -name "*.yaml" \) -o \( ! -type f \) + id-filename-equivalence: + runs-on: ubuntu-latest + steps: + - name: Pull down repo + uses: actions/checkout@v3 + - name: Analytics files need to have their filename be '{id}.yaml' + run: > + ret=0; + for file in analytics/*.yaml; do + echo "Checking $file"; + if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '.id' < $file)" ]; then + echo "Failed"; + ret=1; + fi; + done; + exit "$ret" + - name: Data model files need to have their filename be '{name but fully lowercase and with underscores replacing spaces}.yaml' + run: > + ret=0; + for file in data_model/*.yaml; do + echo "Checking $file"; + if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '.name | downcase | sub(" ", "_")' < $file)" ]; then + echo "Failed"; + ret=1; + fi; + done; + exit "$ret" + - name: Sensor files need to have their filename be '{sensor_name but fully lowercase}_{sensor_version}.yaml' + run: > + ret=0; + for file in sensors/*.yaml; do + echo "Checking $file"; + if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '(.sensor_name | downcase) + "_" + .sensor_version' < $file)" ]; then + echo "Failed"; + ret=1; + fi; + done; + exit "$ret" diff --git a/.yamllint b/.yamllint new file mode 100644 index 00000000..75da2b70 --- /dev/null +++ b/.yamllint @@ -0,0 +1,5 @@ +--- +extends: default + +rules: + line-length: disable diff --git a/analytics/CAR-2013-01-002.yaml b/analytics/CAR-2013-01-002.yaml index 21f264af..53eeaf2b 100644 --- a/analytics/CAR-2013-01-002.yaml +++ b/analytics/CAR-2013-01-002.yaml @@ -1,3 +1,4 @@ +--- title: Autorun Differences submission_date: 2013/01/25 information_domain: 'Analytic, Host' @@ -11,7 +12,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-01-002 -description: |- +description: | The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative. diff --git a/analytics/CAR-2013-01-003.yaml b/analytics/CAR-2013-01-003.yaml index da1c5c6f..5d81ab3a 100644 --- a/analytics/CAR-2013-01-003.yaml +++ b/analytics/CAR-2013-01-003.yaml @@ -1,3 +1,4 @@ +--- title: SMB Events Monitoring submission_date: 2013/01/25 information_domain: Network @@ -10,8 +11,8 @@ analytic_types: contributors: - MITRE id: CAR-2013-01-003 -description: |- - [Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. +description: | + [Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. ### Output Description @@ -28,8 +29,8 @@ coverage: - T1021.002 coverage: Moderate implementations: - - description: 'Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved. ' - code: |- + - description: 'Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.' + code: | flow = search Flow:Message smb_events = filter flow where (dest_port == "445" and protocol == "smb") smb_events.file_name = smb_events.proto_info.file_name diff --git a/analytics/CAR-2013-02-003.yaml b/analytics/CAR-2013-02-003.yaml index f6e6fb2c..1c93c302 100644 --- a/analytics/CAR-2013-02-003.yaml +++ b/analytics/CAR-2013-02-003.yaml @@ -1,3 +1,4 @@ +--- title: Processes Spawning cmd.exe submission_date: 2013/02/05 information_domain: Host diff --git a/analytics/CAR-2013-02-008.yaml b/analytics/CAR-2013-02-008.yaml index 431f0b13..0e598289 100644 --- a/analytics/CAR-2013-02-008.yaml +++ b/analytics/CAR-2013-02-008.yaml @@ -1,3 +1,4 @@ +--- title: Simultaneous Logins on a Host submission_date: 2013/02/18 information_domain: Host @@ -12,7 +13,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-02-008 -description: |- +description: | Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. @@ -26,10 +27,10 @@ coverage: - T1078.003 coverage: Low implementations: - - code: |- + - code: | users_list = search UserSession:Login users_grouped = group users_list by hostname - users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count + users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1) output multiple_logins type: pseudocode diff --git a/analytics/CAR-2013-02-012.yaml b/analytics/CAR-2013-02-012.yaml index 23992cfa..12e62d6f 100644 --- a/analytics/CAR-2013-02-012.yaml +++ b/analytics/CAR-2013-02-012.yaml @@ -1,3 +1,4 @@ +--- title: User Logged in to Multiple Hosts submission_date: 2013/02/27 information_domain: Host @@ -12,7 +13,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-02-012 -description: |- +description: | Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts. @@ -25,8 +26,8 @@ coverage: tactics: - TA0008 subtechniques: - - T1078.002 - - T1078.003 + - T1078.002 + - T1078.003 coverage: Moderate d3fend_mappings: - iri: d3f:AuthenticationEventThresholding diff --git a/analytics/CAR-2013-03-001.yaml b/analytics/CAR-2013-03-001.yaml index 6d836429..e4a88bdb 100644 --- a/analytics/CAR-2013-03-001.yaml +++ b/analytics/CAR-2013-03-001.yaml @@ -1,3 +1,4 @@ +--- title: Reg.exe called from Command Shell submission_date: 2013/03/28 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-03-001 -description: |- +description: | Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. ### Output Description @@ -45,7 +46,7 @@ coverage: coverage: Moderate implementations: - description: 'To gain better context, it may be useful to also get information about the cmd process to know its parent. This may be helpful when tuning the analytic to an environment, if this behavior happens frequently. This may also help to rule out instances of users running ' - code: |- + code: | processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") @@ -53,7 +54,7 @@ implementations: output reg_and_cmd type: pseudocode - description: DNIF version of the above pseudocode. - code: |- + code: | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100 >>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100 >>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include diff --git a/analytics/CAR-2013-04-002.yaml b/analytics/CAR-2013-04-002.yaml index 895f76ad..dfe68372 100644 --- a/analytics/CAR-2013-04-002.yaml +++ b/analytics/CAR-2013-04-002.yaml @@ -1,3 +1,4 @@ +--- title: Quick execution of a series of suspicious commands submission_date: 2013/04/11 information_domain: 'Analytic, Host' diff --git a/analytics/CAR-2013-05-002.yaml b/analytics/CAR-2013-05-002.yaml index 1b99a8a4..be7701c9 100644 --- a/analytics/CAR-2013-05-002.yaml +++ b/analytics/CAR-2013-05-002.yaml @@ -1,3 +1,4 @@ +--- title: Suspicious Run Locations submission_date: 2013/05/07 information_domain: Host diff --git a/analytics/CAR-2013-05-003.yaml b/analytics/CAR-2013-05-003.yaml index bb292ac0..cd47a75e 100644 --- a/analytics/CAR-2013-05-003.yaml +++ b/analytics/CAR-2013-05-003.yaml @@ -1,3 +1,4 @@ +--- title: SMB Write Request submission_date: 2013/05/13 information_domain: 'Host, Network' @@ -35,7 +36,7 @@ coverage: - T1078.003 coverage: Moderate implementations: - - code: |- + - code: | flow = search Flow:Message smb_write = filter flow where (dest_port == "445" and protocol == "smb.write") smb_write.file_name = smb_write.proto_info.file_name diff --git a/analytics/CAR-2013-05-004.yaml b/analytics/CAR-2013-05-004.yaml index 791b5e1f..4c5b2b50 100644 --- a/analytics/CAR-2013-05-004.yaml +++ b/analytics/CAR-2013-05-004.yaml @@ -1,3 +1,4 @@ +--- title: Execution with AT submission_date: 2013/05/13 information_domain: Host diff --git a/analytics/CAR-2013-05-005.yaml b/analytics/CAR-2013-05-005.yaml index 2f13f84d..16a8c2fc 100644 --- a/analytics/CAR-2013-05-005.yaml +++ b/analytics/CAR-2013-05-005.yaml @@ -1,3 +1,4 @@ +--- title: SMB Copy and Execution submission_date: 2013/05/13 information_domain: 'Host, Network' diff --git a/analytics/CAR-2013-05-009.yaml b/analytics/CAR-2013-05-009.yaml index bcd79aeb..1e02ee42 100644 --- a/analytics/CAR-2013-05-009.yaml +++ b/analytics/CAR-2013-05-009.yaml @@ -1,3 +1,4 @@ +--- title: Running executables with same hash and different names submission_date: 2013/05/23 information_domain: Host diff --git a/analytics/CAR-2013-07-001.yaml b/analytics/CAR-2013-07-001.yaml index 0f013346..698dfc60 100644 --- a/analytics/CAR-2013-07-001.yaml +++ b/analytics/CAR-2013-07-001.yaml @@ -1,3 +1,4 @@ +--- title: Suspicious Arguments submission_date: 2013/07/05 information_domain: Host diff --git a/analytics/CAR-2013-07-002.yaml b/analytics/CAR-2013-07-002.yaml index 613919fe..fa914804 100644 --- a/analytics/CAR-2013-07-002.yaml +++ b/analytics/CAR-2013-07-002.yaml @@ -1,3 +1,4 @@ +--- title: RDP Connection Detection submission_date: 2013/07/24 information_domain: 'Analytic, Network' diff --git a/analytics/CAR-2013-07-005.yaml b/analytics/CAR-2013-07-005.yaml index 8cbc5245..58b9fb34 100644 --- a/analytics/CAR-2013-07-005.yaml +++ b/analytics/CAR-2013-07-005.yaml @@ -1,3 +1,4 @@ +--- title: Command Line Usage of Archiving Software submission_date: 2013/07/31 information_domain: Host @@ -12,7 +13,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-07-005 -description: |- +description: | Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names. @@ -25,18 +26,18 @@ coverage: coverage: Moderate implementations: - description: 'This analytic looks for the command line argument `a`, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.' - code: |- + code: | processes = search Process:Create rar_argument = filter processes where (command_line == "* a *") output rar_argument type: pseudocode - description: DNIF version of the above pseudocode. - code: |- + code: | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100 type: DNIF data_model: Sysmon native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 command="* a *" type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2013-08-001.yaml b/analytics/CAR-2013-08-001.yaml index f89e5c10..f8a894ce 100644 --- a/analytics/CAR-2013-08-001.yaml +++ b/analytics/CAR-2013-08-001.yaml @@ -1,3 +1,4 @@ +--- title: Execution with schtasks submission_date: 2013/08/07 information_domain: Host @@ -20,18 +21,18 @@ coverage: coverage: Moderate implementations: - description: 'Look for instances of `schtasks.exe` running as processes. The `command_line` field is necessary to disambiguate between types of schtasks commands. These include the flags `/create`, `/run`, `/query`, `/delete`, `/change`, and `/end`.' - code: |- + code: | process = search Process:Create schtasks = filter process where (exe == "schtasks.exe") output schtasks type: pseudocode - description: DNIF version of the above pseudocode. - code: |- + code: | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100 type: DNIF data_model: Sysmon native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"] type: LogPoint data_model: LogPoint native @@ -41,7 +42,7 @@ data_model_references: unit_tests: - configurations: - Windows 7 - description: |- + description: | Create a new scheduled task with schtasks.exe and verify the analytic fires when the task executes. * From an admin account, open Windows command prompt (right click, run as administrator) * Execute `schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask`, substituting a time in the near future for 19:00 diff --git a/analytics/CAR-2013-09-003.yaml b/analytics/CAR-2013-09-003.yaml index 4d877398..30babcfa 100644 --- a/analytics/CAR-2013-09-003.yaml +++ b/analytics/CAR-2013-09-003.yaml @@ -1,3 +1,4 @@ +--- title: SMB Session Setups submission_date: 2013/09/12 information_domain: Network diff --git a/analytics/CAR-2013-09-005.yaml b/analytics/CAR-2013-09-005.yaml index 237b11df..d72a51b0 100644 --- a/analytics/CAR-2013-09-005.yaml +++ b/analytics/CAR-2013-09-005.yaml @@ -1,3 +1,4 @@ +--- title: Service Outlier Executables submission_date: 2013/09/23 information_domain: Host diff --git a/analytics/CAR-2013-10-001.yaml b/analytics/CAR-2013-10-001.yaml index 00856f4a..941c16e3 100644 --- a/analytics/CAR-2013-10-001.yaml +++ b/analytics/CAR-2013-10-001.yaml @@ -1,7 +1,8 @@ +--- title: User Login Activity Monitoring submission_date: 2013/10/03 information_domain: 'Host, Network' -platforms: +platforms: - Windows - Linux - macOS @@ -13,7 +14,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-10-001 -description: |- +description: | Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. @@ -39,7 +40,7 @@ coverage: implementations: - name: Account Logon with Filtering description: This base pseudocode looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. - code: |- + code: | logon_events = search User_Session:Login filtered_logons = filter logon_events where ( user NOT IN TOP30(user)) @@ -47,12 +48,12 @@ implementations: type: Pseudocode - name: Account Logon with Filtering description: Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out. - code: |- + code: | index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name] type: Splunk - name: Account Logon with Filtering description: DNIF version of the above pseudocode. - code: |- + code: | _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN group count_unique $ScopeID, $User limit 30 >>_store in_disk david_test win_top_30 stack_replace >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000 diff --git a/analytics/CAR-2013-10-002.yaml b/analytics/CAR-2013-10-002.yaml index e8771801..cb6d6c99 100644 --- a/analytics/CAR-2013-10-002.yaml +++ b/analytics/CAR-2013-10-002.yaml @@ -1,3 +1,4 @@ +--- title: DLL Injection via Load Library submission_date: 2013/10/07 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2013-10-002 -description: |- +description: | Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx). - Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx) @@ -33,7 +34,7 @@ coverage: coverage: Moderate implementations: - description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. ' - code: |- + code: | remote_thread = search Thread:RemoteCreate remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW") remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe") @@ -41,7 +42,7 @@ implementations: output remote_thread type: pseudocode - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe" type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2014-02-001.yaml b/analytics/CAR-2014-02-001.yaml index db26f0b9..6ae17df4 100644 --- a/analytics/CAR-2014-02-001.yaml +++ b/analytics/CAR-2014-02-001.yaml @@ -1,3 +1,4 @@ +--- title: Service Binary Modifications submission_date: 2014/02/14 information_domain: Host @@ -11,7 +12,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-02-001 -description: |- +description: | Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. ### Output Description @@ -40,14 +41,14 @@ coverage: coverage: Moderate implementations: - description: 'Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as `msiexec.exe`, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.' - code: |- + code: | legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...] file_change = search File:Create,Modify process = search Process:Create service_process = filter processes where (parent_exe == "services.exe") modified_service = join (search, filter) where ( - file_change.time < service_process.time and + file_change.time < service_process.time and file_change.file_path == service_process.image_path ) diff --git a/analytics/CAR-2014-03-001.yaml b/analytics/CAR-2014-03-001.yaml index 1f24bb21..15948a46 100644 --- a/analytics/CAR-2014-03-001.yaml +++ b/analytics/CAR-2014-03-001.yaml @@ -1,3 +1,4 @@ +--- title: SMB Write Request - NamedPipes submission_date: 2014/03/03 information_domain: 'Host, Network' diff --git a/analytics/CAR-2014-03-005.yaml b/analytics/CAR-2014-03-005.yaml index 17887cbc..4eb4b626 100644 --- a/analytics/CAR-2014-03-005.yaml +++ b/analytics/CAR-2014-03-005.yaml @@ -1,3 +1,4 @@ +--- title: Remotely Launched Executables via Services submission_date: 2014/03/18 information_domain: 'Host, Network' @@ -11,8 +12,8 @@ analytic_types: contributors: - MITRE id: CAR-2014-03-005 -description: |- - There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. +description: | + There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command. @@ -32,7 +33,7 @@ coverage: coverage: Moderate implementations: - description: 'Look for processes launched from `services.exe` within 1 second of services.exe receiving a network connection.' - code: |- + code: | process = search Process:Create flow = search Flow:Start service = filter process where (parent_exe == "services.exe") diff --git a/analytics/CAR-2014-03-006.yaml b/analytics/CAR-2014-03-006.yaml index 99dd7772..b88fdfe8 100644 --- a/analytics/CAR-2014-03-006.yaml +++ b/analytics/CAR-2014-03-006.yaml @@ -1,3 +1,4 @@ +--- title: RunDLL32.exe monitoring submission_date: 2014/03/28 information_domain: Host diff --git a/analytics/CAR-2014-04-003.yaml b/analytics/CAR-2014-04-003.yaml index f5918290..edfe925f 100644 --- a/analytics/CAR-2014-04-003.yaml +++ b/analytics/CAR-2014-04-003.yaml @@ -1,3 +1,4 @@ +--- title: Powershell Execution submission_date: 2014/04/11 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-04-003 -description: |- +description: | [PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: @@ -31,29 +32,29 @@ coverage: coverage: Moderate implementations: - description: 'Look for versions of `PowerShell` that were not launched interactively.' - code: |- + code: | process = search Process:Create powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" ) output powershell type: pseudocode - description: Splunk version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName type: Splunk data_model: Sysmon native - description: EQL version of the above pseudocode. - code: |- + code: | process where subtype.create and (process_name == "powershell.exe" and parent_process_name != "explorer.exe") type: EQL data_model: EQL native - description: DNIF version of the above pseudocode. - code: |- + code: | _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30 type: DNIF data_model: Sysmon native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_image="C:\Windows\explorer.exe" type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2014-05-001.yaml b/analytics/CAR-2014-05-001.yaml index a9e8e43e..f98f9c21 100644 --- a/analytics/CAR-2014-05-001.yaml +++ b/analytics/CAR-2014-05-001.yaml @@ -1,3 +1,4 @@ +--- title: RPC Activity submission_date: 2014/05/01 information_domain: Network diff --git a/analytics/CAR-2014-05-002.yaml b/analytics/CAR-2014-05-002.yaml index 183f25c4..d783a870 100644 --- a/analytics/CAR-2014-05-002.yaml +++ b/analytics/CAR-2014-05-002.yaml @@ -1,3 +1,4 @@ +--- title: Services launching Cmd submission_date: 2014/05/05 information_domain: Host diff --git a/analytics/CAR-2014-07-001.yaml b/analytics/CAR-2014-07-001.yaml index 49942a64..7ada440b 100644 --- a/analytics/CAR-2014-07-001.yaml +++ b/analytics/CAR-2014-07-001.yaml @@ -1,3 +1,4 @@ +--- title: Service Search Path Interception submission_date: 2014/07/17 information_domain: Host diff --git a/analytics/CAR-2014-11-002.yaml b/analytics/CAR-2014-11-002.yaml index ab3575ed..6679b7b5 100644 --- a/analytics/CAR-2014-11-002.yaml +++ b/analytics/CAR-2014-11-002.yaml @@ -1,3 +1,4 @@ +--- title: Outlier Parents of Cmd submission_date: 2014/11/06 information_domain: Host @@ -11,10 +12,10 @@ analytic_types: contributors: - MITRE id: CAR-2014-11-002 -description: |- +description: | Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`. - While this analytic does not take the user into account, doing so could generate further interesting results. + While this analytic does not take the user into account, doing so could generate further interesting results. It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don’t routinely launch a command prompt – for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one. @@ -31,7 +32,7 @@ coverage: coverage: Moderate implementations: - description: 'Create a baseline of parents of `cmd.exe` seen over the last 30 days and a list of parents of `cmd.exe` seen today. Remove parents in the baseline from parents seen today, leaving a list of new parents.' - code: |- + code: | processes = search Process:Create cmd = filter processes where (exe == "cmd.exe") cmd = from cmd select parent_exe diff --git a/analytics/CAR-2014-11-003.yaml b/analytics/CAR-2014-11-003.yaml index a6e11f36..323defb4 100644 --- a/analytics/CAR-2014-11-003.yaml +++ b/analytics/CAR-2014-11-003.yaml @@ -1,3 +1,4 @@ +--- title: Debuggers for Accessibility Applications submission_date: 2014/11/21 information_domain: Host @@ -10,8 +11,8 @@ analytic_types: contributors: - MITRE id: CAR-2014-11-003 -description: |- - The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. +description: | + The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility. coverage: @@ -24,13 +25,13 @@ coverage: coverage: Moderate implementations: - description: 'One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the `system32` folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.' - code: |- + code: | process = search Process:Create debuggers = filter process where (command_line match "$.* .*(sethc{{pipe}}utilman{{pipe}}osk{{pipe}}narrator{{pipe}}magnify)\.exe") output debuggers type: pseudocode - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 command IN ["$* *sethc.exe", "$* *utilman.exe", "$* *osk.exe", "$* *narrator.exe", "$* *magnify.exe"] type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2014-11-004.yaml b/analytics/CAR-2014-11-004.yaml index 2d0fbb94..2f1a534d 100644 --- a/analytics/CAR-2014-11-004.yaml +++ b/analytics/CAR-2014-11-004.yaml @@ -1,3 +1,4 @@ +--- title: Remote PowerShell Sessions submission_date: 2014/11/19 information_domain: 'Host, Network' @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-11-004 -description: |- +description: | According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \` creates a remote PowerShell session. @@ -28,18 +29,18 @@ coverage: - T1021.006 coverage: Moderate implementations: - - code: |- + - code: | process = search Process:Create wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe") type: pseudocode - description: EQL version of the above pseudocode. - code: |- + code: | process where subtype.create and - (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe") + (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe") type: EQL data_model: EQL native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe" type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2014-11-005.yaml b/analytics/CAR-2014-11-005.yaml index 1e65cf78..b7353054 100644 --- a/analytics/CAR-2014-11-005.yaml +++ b/analytics/CAR-2014-11-005.yaml @@ -1,3 +1,4 @@ +--- title: Remote Registry submission_date: 2014/11/19 information_domain: 'Host, Network' @@ -11,7 +12,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-11-005 -description: |- +description: | An adversary can remotely [manipulate the registry](https://attack.mitre.org/techniques/T1112) of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique, [discover](https://attack.mitre.org/tactics/TA0007) the configuration of a host, achieve [Persistence](https://attack.mitre.org/tactics/TA0003), or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to [remotely enable](https://attack.mitre.org/techniques/T1569/002) the RemoteRegistry service, which can be detected with [CAR-2014-03-005](../CAR-2014-03-005). Remote access to the registry can be achieved via @@ -19,7 +20,7 @@ description: |- - Windows API function [RegConnectRegistry](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724840.aspx) - command line via `reg.exe` - graphically via `regedit.exe` - + All of these behaviors call into the Windows API, which uses the NamedPipe `WINREG` over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function. coverage: - technique: T1112 @@ -27,7 +28,7 @@ coverage: - TA0005 coverage: Moderate implementations: - - code: |- + - code: | flows = search Flow:Message winreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG") winreg_modify = filter flows where (proto_info.function == "Create*" or proto_info.function == "SetValue*") diff --git a/analytics/CAR-2014-11-006.yaml b/analytics/CAR-2014-11-006.yaml index 6569063f..2da7d7f9 100644 --- a/analytics/CAR-2014-11-006.yaml +++ b/analytics/CAR-2014-11-006.yaml @@ -1,3 +1,4 @@ +--- title: Windows Remote Management (WinRM) submission_date: 2014/11/19 information_domain: 'Host, Network' @@ -20,8 +21,8 @@ coverage: - T1021.006 coverage: Moderate implementations: - - description: 'Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis. ' - code: |- + - description: 'Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.' + code: | flow = search Flow:Start winrm = filter flow where (dest_port == 5985) winrm_s = filter flow where (dest_port == 5986) diff --git a/analytics/CAR-2014-11-007.yaml b/analytics/CAR-2014-11-007.yaml index 29c7c5ee..fbf94b55 100644 --- a/analytics/CAR-2014-11-007.yaml +++ b/analytics/CAR-2014-11-007.yaml @@ -1,3 +1,4 @@ +--- title: Remote Windows Management Instrumentation (WMI) over RPC submission_date: 2014/11/19 information_domain: 'Host, Network' @@ -12,7 +13,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-11-007 -description: |- +description: | As described in ATT&CK, an adversary can use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC ([CAR-2014-05-001](../CAR-2014-05-001)), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as [Event Tracing for Windows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx). Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. @@ -28,7 +29,7 @@ coverage: coverage: Moderate implementations: - description: 'To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. ' - code: |- + code: | flows = search Flow:Message wmi_flow = filter flows where (dest_port == 135 and proto_info.rpc_interface == "IRemUnknown2") output wmi_flow diff --git a/analytics/CAR-2014-11-008.yaml b/analytics/CAR-2014-11-008.yaml index ad43b82a..dac63175 100644 --- a/analytics/CAR-2014-11-008.yaml +++ b/analytics/CAR-2014-11-008.yaml @@ -1,3 +1,4 @@ +--- title: Command Launched from WinLogon submission_date: 2014/11/19 information_domain: Host diff --git a/analytics/CAR-2014-12-001.yaml b/analytics/CAR-2014-12-001.yaml index 8f13dfa6..892a2c06 100644 --- a/analytics/CAR-2014-12-001.yaml +++ b/analytics/CAR-2014-12-001.yaml @@ -1,3 +1,4 @@ +--- title: Remotely Launched Executables via WMI submission_date: 2014/12/02 information_domain: 'Host, Network' @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2014-12-001 -description: |- +description: | Adversaries can use [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by [CAR-2014-11-007](../CAR-2014-11-007). After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:"" process call create ""`, which is detected via [CAR-2016-03-002](../CAR-2016-03-002). This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine. @@ -26,7 +27,7 @@ description: |- - ASCII `CF` (printable text only) This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. - The transfer syntax is + The transfer syntax is - UUID `8a885d04-1ceb-11c9-9fe8-08002b104860` (decoded) - Hex `04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60` (raw) @@ -47,7 +48,7 @@ coverage: coverage: High implementations: - description: 'Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from `wmiprvse.exe` in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.' - code: |- + code: | processes = search Process:Create wmi_children = filter processes where (parent_exe == "wmiprvse.exe") @@ -55,8 +56,8 @@ implementations: wmi_flow = filter flows where (src_port >= 49152 and dest_port >= 49152 and proto_info.rpc_interface == "IRemUnknown2") remote_wmi_process = join wmi_children, wmi_flow where ( - wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and - wmi_flow.hostname == wmi_children.hostname + wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and + wmi_flow.hostname == wmi_children.hostname ) output remote_wmi_process diff --git a/analytics/CAR-2015-04-001.yaml b/analytics/CAR-2015-04-001.yaml index 1979d45b..00093f42 100644 --- a/analytics/CAR-2015-04-001.yaml +++ b/analytics/CAR-2015-04-001.yaml @@ -1,3 +1,4 @@ +--- title: Remotely Scheduled Tasks via AT submission_date: 2015/04/29 information_domain: 'Host, Network' diff --git a/analytics/CAR-2015-04-002.yaml b/analytics/CAR-2015-04-002.yaml index 123815e6..5455c0f2 100644 --- a/analytics/CAR-2015-04-002.yaml +++ b/analytics/CAR-2015-04-002.yaml @@ -1,3 +1,4 @@ +--- title: Remotely Scheduled Tasks via Schtasks submission_date: 2015/04/29 information_domain: 'Host, Network' diff --git a/analytics/CAR-2015-07-001.yaml b/analytics/CAR-2015-07-001.yaml index 786300f3..206c1b30 100644 --- a/analytics/CAR-2015-07-001.yaml +++ b/analytics/CAR-2015-07-001.yaml @@ -1,3 +1,4 @@ +--- title: All Logins Since Last Boot submission_date: 2015/07/17 information_domain: Host diff --git a/analytics/CAR-2016-03-001.yaml b/analytics/CAR-2016-03-001.yaml index 55e10a9e..b0f899e2 100644 --- a/analytics/CAR-2016-03-001.yaml +++ b/analytics/CAR-2016-03-001.yaml @@ -1,3 +1,4 @@ +--- title: Host Discovery Commands submission_date: 2016/03/24 information_domain: Host @@ -12,7 +13,7 @@ analytic_types: contributors: - MITRE id: CAR-2016-03-001 -description: |- +description: | When entering on a host for the first time, an adversary may try to [discover](https://attack.mitre.org/tactics/TA0007) information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when [establishing persistence](https://attack.mitre.org/tactics/TA0003), [escalating privileges](https://attack.mitre.org/tactics/TA0004), or [moving laterally](https://attack.mitre.org/tactics/TA0008). Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically. @@ -68,34 +69,34 @@ coverage: coverage: Moderate implementations: - description: 'To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.' - code: |- + code: | process = search Process:Create info_command = filter process where ( - exe == "hostname.exe" or - exe == "ipconfig.exe" or - exe == "net.exe" or - exe == "quser.exe" or + exe == "hostname.exe" or + exe == "ipconfig.exe" or + exe == "net.exe" or + exe == "quser.exe" or exe == "qwinsta.exe" or exe == "sc" and (command_line match " query" or command_line match " qc")) or - exe == "systeminfo.exe" or - exe == "tasklist.exe" or + exe == "systeminfo.exe" or + exe == "tasklist.exe" or exe == "whoami.exe" ) output info_command type: pseudocode - description: Splunk version of the above pseudocode search. - code: |- + code: | index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName type: Splunk - data_mode: Sysmon native + data_model: Sysmon native - description: EQL version of the above pseudocode search. - code: |- + code: | process where subtype.create and (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *"))) type: EQL - data_mode: EQL native + data_model: EQL native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *")) type: LogPoint data_model: LogPoint native diff --git a/analytics/CAR-2016-03-002.yaml b/analytics/CAR-2016-03-002.yaml index 9b940e43..60808188 100644 --- a/analytics/CAR-2016-03-002.yaml +++ b/analytics/CAR-2016-03-002.yaml @@ -1,3 +1,4 @@ +--- title: Create Remote Process via WMIC submission_date: 2016/03/28 information_domain: Host @@ -10,8 +11,8 @@ analytic_types: contributors: - MITRE id: CAR-2016-03-002 -description: |- - Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\" process call create "\"`. It is possible to also connect via IP address, in which case the string `"\"` would instead look like `IP Address`. +description: | + Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\" process call create "\"`. It is possible to also connect via IP address, in which case the string `"\"` would instead look like `IP Address`. Although this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001). coverage: @@ -20,32 +21,32 @@ coverage: - TA0002 coverage: Low implementations: - - description: |- + - description: | Looks for instances of wmic.exe as well as the substrings in the command line: * `process call create` * `/node:` - code: |- + code: | processes = search Process:Create wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*") output wmic type: pseudocode - description: Splunk version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="* process call create *"|search CommandLine="* /node:*" type: Splunk - data_mode: Sysmon native + data_model: Sysmon native - description: EQL version of the above pseudocode. - code: |- + code: | process where subtype.create and (process_name == "wmic.exe" and command_line == "* process call create ") |filter command_line == "* /node:*" type: EQL - data_mode: EQL native + data_model: EQL native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="C:\\Windows\\*\\wmic.exe" command="* process call create *" command="* /node:*" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native data_model_references: - process/create/exe - process/create/command_line diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml index 9306a8c0..f5637fa5 100644 --- a/analytics/CAR-2016-04-002.yaml +++ b/analytics/CAR-2016-04-002.yaml @@ -16,7 +16,7 @@ contributors: - Cyware Labs - Lucas Heiligenstein id: CAR-2016-04-002 -description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. +description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. @@ -32,7 +32,7 @@ coverage: implementations: - name: PseudoCode for dedicated EventID EventLog deletion description: 'When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.' - code: |- + code: | ([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or ([log_name] == "System" and [event_code] == 104) type: pseudocode @@ -44,13 +44,13 @@ implementations: type: Sigma - name: LogPoint version of the above pseudocode. description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104)) type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native - name: Splunk search - Detecting log clearing with wevtutil - description: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs. - code: |- + description: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs. + code: | index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog) data_model: Sysmon native type: Splunk @@ -66,7 +66,7 @@ unit_tests: commands: - del C:\Windows\System32\winevt\logs\Security.evtx - Remove-Item C:\Windows\System32\winevt\logs\Security.evtx - - description: Unregister EventLog source + - description: Unregister EventLog source commands: - Remove-EventLog -LogName Security data_model_references: diff --git a/analytics/CAR-2016-04-003.yaml b/analytics/CAR-2016-04-003.yaml index 9aeaa6df..b5a49423 100644 --- a/analytics/CAR-2016-04-003.yaml +++ b/analytics/CAR-2016-04-003.yaml @@ -1,3 +1,4 @@ +--- title: User Activity from Stopping Windows Defensive Services submission_date: 2016/04/15 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - MITRE/NSA id: CAR-2016-04-003 -description: |- +description: | Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. Stopping services events are Windows Event Code 7036. @@ -23,19 +24,19 @@ coverage: coverage: Low implementations: - description: Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for "Windows Defender" or "Windows Firewall" that has stopped. - code: |- + code: | log_name == "System" AND event_code == "7036" param1 in ["Windows Defender", "Windows Firewall"] AND param2 == "stopped" type: pseudocode - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WinServer channel="System" event_id=7036 param1 in ["Windows Defender", "Windows Firewall"] param2="stopped" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native unit_tests: - - configurations: + - configurations: - Windows 7 description: From an administrative user powershell console, run the Stop-Service command. commands: @@ -45,4 +46,3 @@ d3fend_mappings: - iri: d3f:SystemDaemonMonitoring id: D3-SDM label: System Daemon Monitoring - diff --git a/analytics/CAR-2016-04-004.yaml b/analytics/CAR-2016-04-004.yaml index af625e7d..19511124 100644 --- a/analytics/CAR-2016-04-004.yaml +++ b/analytics/CAR-2016-04-004.yaml @@ -1,3 +1,4 @@ +--- title: Successful Local Account Login submission_date: 2016/04/18 information_domain: Host @@ -19,13 +20,13 @@ coverage: - T1550.002 coverage: Moderate implementations: - - description: 'This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON" ' - code: |- + - description: 'This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON".' + code: | EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and [authentication_package_name] == "NTLM" type: pseudocode unit_tests: - - configurations: + - configurations: - Windows 7 description: As an adminstrator, create a new user. Then, logon to the host with that new user. This is generate the event. commands: diff --git a/analytics/CAR-2016-04-005.yaml b/analytics/CAR-2016-04-005.yaml index c1c7b73d..cd055c4b 100644 --- a/analytics/CAR-2016-04-005.yaml +++ b/analytics/CAR-2016-04-005.yaml @@ -1,3 +1,4 @@ +--- title: Remote Desktop Logon submission_date: 2016/04/19 information_domain: Host @@ -32,7 +33,7 @@ implementations: code: |- norm_id=WinServer event_id=4624 package="Negotiate" log_level="INFO" logon_type=10 type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native d3fend_mappings: - iri: d3f:RemoteTerminalSessionDetection id: D3-RTSD diff --git a/analytics/CAR-2019-04-001.yaml b/analytics/CAR-2019-04-001.yaml index f466054d..25eef8e3 100644 --- a/analytics/CAR-2019-04-001.yaml +++ b/analytics/CAR-2019-04-001.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2019-04-001 -description: |- +description: | Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool. coverage: - technique: T1548 @@ -22,12 +22,12 @@ coverage: coverage: Low implementations: - description: This Splunk query looks for specific invocations of UACME, representing different ways to bypass user account control. - code: |- + code: | index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45") type: splunk data_model: Sysmon native - - description: This is a pseudocode version of the above Splunk query. - code: |- + - description: This is a pseudocode version of the above Splunk query. + code: | processes = search Process:Create possible_uac_bypass = filter processes where ( integrity_level == "High" and @@ -36,8 +36,8 @@ implementations: (image_path == "c:\program files\windows media player\osk.exe") or (parent_image_path == "c:\windows\system32\slui.exe") or (parent_command_line == '"c:\windows\system32\dism.exe"*""*.xml"' and image_path != "c:\users\*\appdata\local\temp\*\dismhost.exe") or - (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or - (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe") + (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or + (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe") ) output possible_uac_bypass type: pseudocode @@ -49,10 +49,10 @@ implementations: description: '[Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml) rule for detecting sdclt-based UAC bypass.' type: Sigma - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe")) type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native data_model_references: - process/create/image_path - process/create/parent_image_path diff --git a/analytics/CAR-2019-04-002.yaml b/analytics/CAR-2019-04-002.yaml index bf7ad33b..b03834ef 100644 --- a/analytics/CAR-2019-04-002.yaml +++ b/analytics/CAR-2019-04-002.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2019-04-002 -description: |- +description: | Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually. coverage: - technique: T1218 @@ -23,13 +23,13 @@ coverage: implementations: - name: Main Pattern description: This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions. - code: |- + code: | index=__your_sysmon_data__ EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" type: splunk data_model: Sysmon native - name: Main Pattern - pseudocode description: This is a pseudocode version of the above main pattern. - code: |- + code: | processes = search Process:Create regsvr_processes = filter processes where ( parent_image_path == "*regsvr32.exe" and image_path != "*regsvr32.exe*" @@ -39,20 +39,20 @@ implementations: data_model: CAR - name: New items since last month description: This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day). - code: |- + code: | index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | search NOT [ search index=__your_sysmon_data__ earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | dedup CommandLine | fields CommandLine ] type: splunk data_model: Sysmon native - name: Spawning child processes description: This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting). - code: |- + code: | index=__your_sysmon_data__ EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image type: splunk data_model: Sysmon native - name: Spawning child processes - pseudocode description: This is a pseudocode version of the above Splunk query for spawning child processes. - code: |- + code: | processes = search Process:Create regsvr_processes = filter processes where ( (parent_image_path == "C:\Windows\System32\regsvr32.exe" or parent_image_path == "C:\Windows\SysWOW64\regsvr32.exe") and @@ -67,24 +67,24 @@ implementations: data_model: CAR - name: Loading unsigned images description: This looks for unsigned images that may be loaded by regsvr32, while attempting to eliminate false positives stemming from Windows/Program Files binaries. - code: |- - index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded + code: | + index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded type: splunk data_model: Sysmon native - name: Loading unsigned images - pseudocode description: This is a pseudocode version of the above Splunk query for loading unsigned images. - code: |- + code: | modules = search Module:Load unsigned_modules = filter modules where ( (image_path == "C:\Windows\System32\regsvr32.exe" or image_path == "C:\Windows\SysWOW64\regsvr32.exe") and - signer == null and + signer == null and module_path != "C:\Program Files*" and module_path != "C:\Windows\*" ) output unsigned_modules type: pseudocode data_model: CAR -unit_tests: +unit_tests: - description: Any of the [Atomic Red Team tests for regsvr32.exe](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md) should trigger this. data_model_references: - process/create/exe diff --git a/analytics/CAR-2019-04-003.yaml b/analytics/CAR-2019-04-003.yaml index 23eca7f8..cfe44e7e 100644 --- a/analytics/CAR-2019-04-003.yaml +++ b/analytics/CAR-2019-04-003.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2019-04-003 -description: |- +description: | Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS. Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible. @@ -24,18 +24,18 @@ coverage: coverage: Moderate implementations: - description: This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting. - code: |- + code: | index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe" type: splunk data_model: Sysmon native - - description: EQL version of the above Splunk search. - code: |- + - description: EQL version of the above Splunk search. + code: | process where subtype.create and (process_path == "*regsvr32.exe" and command_line == "*scrobj.dll") type: EQL data_model: EQL native - description: Pseudocode version of the above Splunk search. - code: |- + code: | processes = search Process:Create squiblydoo_processes = filter processes where ( image_path == "*regsvr32.exe" and command_line == "*scrobj.dll" @@ -44,12 +44,13 @@ implementations: type: psuedocode data_model: CAR - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll" type: LogPoint - data_mode: LogPoint native -unit_tests: - - description: The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this. + data_model: LogPoint native +unit_tests: + - description: | + The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this. data_model_references: - process/create/exe - process/create/command_line diff --git a/analytics/CAR-2019-04-004.yaml b/analytics/CAR-2019-04-004.yaml index 35c4e0c1..e248298d 100644 --- a/analytics/CAR-2019-04-004.yaml +++ b/analytics/CAR-2019-04-004.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - MITRE id: CAR-2019-04-004 -description: |- +description: | Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz. *This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.* @@ -25,37 +25,36 @@ coverage: implementations: - name: Common Mimikatz GrantedAccess Patterns description: This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz. - code: |- - index=__your_sysmon_data__ EventCode=10 + code: | + index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) - CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)" + CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)" | table _time hostname user SourceImage GrantedAccess type: splunk data_model: Sysmon native - name: Outliers description: This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers. - code: |- + code: | earliest=-d@d latest=now() index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" - (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) - | search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) - | dedup SourceImage + (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) + | search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) + | dedup SourceImage | fields SourceImage ] | table _time hostname user SourceImage GrantedAccess type: splunk data_model: Sysmon native - description: LogPoint version of the above pseudocode. - code: |- - norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)" + code: | + norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)" | fields log_ts, host, user, source_image, access type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native references: - Credit to [Cyb3rWard0g](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/windows/06_credential_access/credential_dumping_T1003/credentials_from_memory/mimikatz_logonpasswords.md), dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics. d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA label: Process Spawn Analysis - diff --git a/analytics/CAR-2019-07-001.yaml b/analytics/CAR-2019-07-001.yaml index f5362b47..6f2507d7 100644 --- a/analytics/CAR-2019-07-001.yaml +++ b/analytics/CAR-2019-07-001.yaml @@ -55,7 +55,7 @@ implementations: code: |- norm_id=WindowsSysmon channel="Security" event_id=4670 object_type="File" -user_id="S-1-5-18" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native unit_tests: - description: 'For Windows - right click on any file and change its permissions under properties. Or, execute the following command: `icacls "C:\" /grant :F`' - description: 'For Linux - execute the following command: `chmod 777 "fileName"`' diff --git a/analytics/CAR-2019-07-002.yaml b/analytics/CAR-2019-07-002.yaml index 291eb7b8..f6e7a5e9 100644 --- a/analytics/CAR-2019-07-002.yaml +++ b/analytics/CAR-2019-07-002.yaml @@ -13,8 +13,8 @@ contributors: - Tony Lambert/Red Canary - MITRE id: CAR-2019-07-002 -description: |- - [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. +description: | + [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name. @@ -29,7 +29,7 @@ coverage: implementations: - name: Procdump - Process Create description: This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line. - code: |- + code: | processes = search Process:Create procdump_lsass = filter processes where ( exe = "procdump*.exe" and @@ -38,7 +38,7 @@ implementations: type: Pseudocode - name: Procdump - Process Create description: A Splunk/Sysmon version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*" type: Splunk data_model: Sysmon native @@ -47,7 +47,7 @@ implementations: type: EQL - name: Procdump - Process Access description: A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe. - code: |- + code: | index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump") type: Splunk data_model: Sysmon native @@ -55,15 +55,15 @@ implementations: description: 'A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) of the above Splunk search, with some more stringent criteria around calltrace.' type: Sigma - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native data_model_references: - process/create/exe - process/create/command_line -unit_tests: - - description: |- +unit_tests: + - description: | 1. Open a Windows Command Prompt or PowerShell instance. 2. Navigate to folder containing ProcDump. 3. Execute procdump.exe -ma lsass.exe lsass_dump diff --git a/analytics/CAR-2019-08-001.yaml b/analytics/CAR-2019-08-001.yaml index bf295634..433ae5f5 100644 --- a/analytics/CAR-2019-08-001.yaml +++ b/analytics/CAR-2019-08-001.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Tony Lambert/Red Canary id: CAR-2019-08-001 -description: |- +description: | The Windows Task Manager may be used to dump the memory space of `lsass.exe` to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting `lsass.exe`, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. This requires filesystem data to determine whether files have been created. @@ -25,7 +25,7 @@ coverage: implementations: - name: Procdump - File Create description: This base pseudocode looks for file create events where a file with a name similar to lsass.dmp is created by the Windows task manager process. - code: |- + code: | files = search File:Create lsass_dump = filter files where ( file_name = "lsass*.dmp" and @@ -34,26 +34,26 @@ implementations: type: Pseudocode - name: Procdump - File Create description: A Splunk/Sysmon version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe" type: Splunk data_model: Sysmon native - name: Procdump - File Create description: An EQL version of the above pseudocode. - code: |- + code: | file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe" type: EQL data_model: EQL native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\taskmgr.exe" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native data_model_references: - file/create/file_name - file/create/image_path -unit_tests: - - description: |- +unit_tests: + - description: | 1. Open Windows Task Manager as Administrator 2. Select lsass.exe 3. Right-click on lsass.exe and select "Create dump file". diff --git a/analytics/CAR-2019-08-002.yaml b/analytics/CAR-2019-08-002.yaml index b9074b4d..61df744d 100644 --- a/analytics/CAR-2019-08-002.yaml +++ b/analytics/CAR-2019-08-002.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Tony Lambert/Red Canary id: CAR-2019-08-002 -description: |- +description: | The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path. This requires filesystem data to determine whether files have been created. @@ -25,7 +25,7 @@ coverage: implementations: - name: NTDSUtil - File Create description: This base pseudocode looks for file create events where a file with a name of ntds.dit is created by the ntdsutil process. - code: |- + code: | files = search File:Create ntds_dump = filter files where ( file_name = "ntds.dit" and @@ -34,26 +34,26 @@ implementations: type: Pseudocode - name: NTDSUtil - File Create description: A Splunk/Sysmon version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe" type: Splunk data_model: Sysmon native - name: NTDSUtil - File Create description: An EQL version of the above pseudocode. - code: |- + code: | file where file_name == "ntds.dit" and process_name == "ntdsutil.exe" type: EQL data_model: EQL native - description: LogPoint version of the above pseudocode. - code: |- + code: | norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe" type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native data_model_references: - file/create/file_name - file/create/image_path -unit_tests: - - description: |- +unit_tests: + - description: | 1. Open a Windows Command Prompt or PowerShell instance as Administrator 2. Execute `ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q` d3fend_mappings: diff --git a/analytics/CAR-2020-05-001.yaml b/analytics/CAR-2020-05-001.yaml index 4f5981dd..8bbff1f4 100644 --- a/analytics/CAR-2020-05-001.yaml +++ b/analytics/CAR-2020-05-001.yaml @@ -11,13 +11,13 @@ analytic_types: contributors: - Cyber National Mission Force (CNMF) id: CAR-2020-05-001 -description: |- +description: | This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior. The analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion. This analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives. - + NOTE - this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events. coverage: - technique: T1003 @@ -38,7 +38,7 @@ implementations: norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"] | fields log_ts host source_process_id source_image type: LogPoint - data_mode: LogPoint native + data_model: LogPoint native d3fend_mappings: - iri: d3f:SystemCallAnalysis id: D3-SCA diff --git a/analytics/CAR-2020-05-003.yaml b/analytics/CAR-2020-05-003.yaml index 1cc4a001..b75d8cd4 100644 --- a/analytics/CAR-2020-05-003.yaml +++ b/analytics/CAR-2020-05-003.yaml @@ -11,14 +11,14 @@ analytic_types: contributors: - Cyber National Mission Force (CNMF) id: CAR-2020-05-003 -description: |- +description: | [LoLBAS](https://lolbas-project.github.io/) are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they're used (this would depend on your environment), but many others are very common and can't be simply alerted on. This analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives. The analytic needs to be tuned. The `1.5` in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long. - - Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window. + + Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window. coverage: - technique: T1012 tactics: @@ -44,7 +44,7 @@ coverage: implementations: - name: LolBAS Rare Commands description: Pseudocode version of the below Splunk query. - code: |- + code: | processes = search Process:Create lolbas_processes = filter processes where (exe = "At.exe" OR exe = "Atbroker.exe" OR exe = "Bash.exe" OR exe = "Bitsadmin.exe" OR exe = "Certutil.exe" OR exe = "Cmd.exe" OR exe = "Cmdkey.exe" OR exe = "Cmstp.exe" OR exe = "Control.exe" OR exe = "Csc.exe" OR exe = "Cscript.exe" OR exe = "Dfsvc.exe" OR exe = "Diskshadow.exe" OR exe = "Dnscmd.exe" OR exe = "Esentutl.exe" OR exe = "Eventvwr.exe" OR exe = "Expand.exe" OR exe = "Extexport.exe" OR exe = "Extrac32.exe" OR exe = "Findstr.exe" OR exe = "Forfiles.exe" OR exe = "Ftp.exe" OR exe = "Gpscript.exe" OR exe = "Hh.exe" OR exe = "Ie4uinit.exe" OR exe = "Ieexec.exe" OR exe = "Infdefaultinstall.exe" OR exe = "Installutil.exe" OR exe = "Jsc.exe" OR exe = "Makecab.exe" OR exe = "Mavinject.exe" OR exe = "Microsoft.Workflow.r.exe" OR exe = "Mmc.exe" OR exe = "Msbuild.exe" OR exe = "Msconfig.exe" OR exe = "Msdt.exe" OR exe = "Mshta.exe" OR exe = "Msiexec.exe" OR exe = "Odbcconf.exe" OR exe = "Pcalua.exe" OR exe = "Pcwrun.exe" OR exe = "Presentationhost.exe" OR exe = "Print.exe" OR exe = "Reg.exe" OR exe = "Regasm.exe" OR exe = "Regedit.exe" OR exe = "Register-cimprovider.exe" OR exe = "Regsvcs.exe" OR exe = "Regsvr32.exe" OR exe = "Replace.exe" OR exe = "Rpcping.exe" OR exe = "Rundll32.exe" OR exe = "Runonce.exe" OR exe = "Runscripthelper.exe" OR exe = "Sc.exe" OR exe = "Schtasks.exe" OR exe = "Scriptrunner.exe" OR exe = "SyncAppvPublishingServer.exe" OR exe = "Tttracer.exe" OR exe = "Verclsid.exe" OR exe = "Wab.exe" OR exe = "Wmic.exe" OR exe = "Wscript.exe" OR exe = "Wsreset.exe" OR exe = "Xwizard.exe" OR exe = "Advpack.dll OR exe = "Comsvcs.dll OR exe = "Ieadvpack.dll OR exe = "Ieaframe.dll OR exe = "Mshtml.dll OR exe = "Pcwutl.dll OR exe = "Setupapi.dll OR exe = "Shdocvw.dll OR exe = "Shell32.dll OR exe = "Syssetup.dll OR exe = "Url.dll OR exe = "Zipfldr.dll OR exe = "Appvlp.exe" OR exe = "Bginfo.exe" OR exe = "Cdb.exe" OR exe = "csi.exe" OR exe = "Devtoolslauncher.exe" OR exe = "dnx.exe" OR exe = "Dxcap.exe" OR exe = "Excel.exe" OR exe = "Mftrace.exe" OR exe = "Msdeploy.exe" OR exe = "msxsl.exe" OR exe = "Powerpnt.exe" OR exe = "rcsi.exe" OR exe = "Sqler.exe" OR exe = "Sqlps.exe" OR exe = "SQLToolsPS.exe" OR exe = "Squirrel.exe" OR exe = "te.exe" OR exe = "Tracker.exe" OR exe = "Update.exe" OR exe = "vsjitdebugger.exe" OR exe = "Winword.exe" OR exe = "Wsl.exe" OR exe = "CL_Mutexverifiers.ps1 OR exe = "CL_Invocation.ps1 OR exe = "Manage-bde.wsf OR exe = "Pubprn.vbs OR exe = "Slmgr.vbs OR exe = "Syncappvpublishingserver.vbs OR exe = "winrm.vbs OR exe = "Pester.bat) process_count = count(lolbas_processes) by process @@ -57,7 +57,7 @@ implementations: data_model: CAR native - name: LolBAS Rare Commands description: This Splunk query looks for instances of LoLBAS commands being executed, then stacks by rare command lines using a stddev. - code: |- + code: | index=__your_sysmon_index__ EventCode=1 (OriginalFileName = At.exe OR OriginalFileName = Atbroker.exe OR OriginalFileName = Bash.exe OR OriginalFileName = Bitsadmin.exe OR OriginalFileName = Certutil.exe OR OriginalFileName = Cmd.exe OR OriginalFileName = Cmdkey.exe OR OriginalFileName = Cmstp.exe OR OriginalFileName = Control.exe OR OriginalFileName = Csc.exe OR OriginalFileName = Cscript.exe OR OriginalFileName = Dfsvc.exe OR OriginalFileName = Diskshadow.exe OR OriginalFileName = Dnscmd.exe OR OriginalFileName = Esentutl.exe OR OriginalFileName = Eventvwr.exe OR OriginalFileName = Expand.exe OR OriginalFileName = Extexport.exe OR OriginalFileName = Extrac32.exe OR OriginalFileName = Findstr.exe OR OriginalFileName = Forfiles.exe OR OriginalFileName = Ftp.exe OR OriginalFileName = Gpscript.exe OR OriginalFileName = Hh.exe OR OriginalFileName = Ie4uinit.exe OR OriginalFileName = Ieexec.exe OR OriginalFileName = Infdefaultinstall.exe OR OriginalFileName = Installutil.exe OR OriginalFileName = Jsc.exe OR OriginalFileName = Makecab.exe OR OriginalFileName = Mavinject.exe OR OriginalFileName = Microsoft.Workflow.r.exe OR OriginalFileName = Mmc.exe OR OriginalFileName = Msbuild.exe OR OriginalFileName = Msconfig.exe OR OriginalFileName = Msdt.exe OR OriginalFileName = Mshta.exe OR OriginalFileName = Msiexec.exe OR OriginalFileName = Odbcconf.exe OR OriginalFileName = Pcalua.exe OR OriginalFileName = Pcwrun.exe OR OriginalFileName = Presentationhost.exe OR OriginalFileName = Print.exe OR OriginalFileName = Reg.exe OR OriginalFileName = Regasm.exe OR OriginalFileName = Regedit.exe OR OriginalFileName = Register-cimprovider.exe OR OriginalFileName = Regsvcs.exe OR OriginalFileName = Regsvr32.exe OR OriginalFileName = Replace.exe OR OriginalFileName = Rpcping.exe OR OriginalFileName = Rundll32.exe OR OriginalFileName = Runonce.exe OR OriginalFileName = Runscripthelper.exe OR OriginalFileName = Sc.exe OR OriginalFileName = Schtasks.exe OR OriginalFileName = Scriptrunner.exe OR OriginalFileName = SyncAppvPublishingServer.exe OR OriginalFileName = Tttracer.exe OR OriginalFileName = Verclsid.exe OR OriginalFileName = Wab.exe OR OriginalFileName = Wmic.exe OR OriginalFileName = Wscript.exe OR OriginalFileName = Wsreset.exe OR OriginalFileName = Xwizard.exe OR OriginalFileName = Advpack.dll OR OriginalFileName = Comsvcs.dll OR OriginalFileName = Ieadvpack.dll OR OriginalFileName = Ieaframe.dll OR OriginalFileName = Mshtml.dll OR OriginalFileName = Pcwutl.dll OR OriginalFileName = Setupapi.dll OR OriginalFileName = Shdocvw.dll OR OriginalFileName = Shell32.dll OR OriginalFileName = Syssetup.dll OR OriginalFileName = Url.dll OR OriginalFileName = Zipfldr.dll OR OriginalFileName = Appvlp.exe OR OriginalFileName = Bginfo.exe OR OriginalFileName = Cdb.exe OR OriginalFileName = csi.exe OR OriginalFileName = Devtoolslauncher.exe OR OriginalFileName = dnx.exe OR OriginalFileName = Dxcap.exe OR OriginalFileName = Excel.exe OR OriginalFileName = Mftrace.exe OR OriginalFileName = Msdeploy.exe OR OriginalFileName = msxsl.exe OR OriginalFileName = Powerpnt.exe OR OriginalFileName = rcsi.exe OR OriginalFileName = Sqler.exe OR OriginalFileName = Sqlps.exe OR OriginalFileName = SQLToolsPS.exe OR OriginalFileName = Squirrel.exe OR OriginalFileName = te.exe OR OriginalFileName = Tracker.exe OR OriginalFileName = Update.exe OR OriginalFileName = vsjitdebugger.exe OR OriginalFileName = Winword.exe OR OriginalFileName = Wsl.exe OR OriginalFileName = CL_Mutexverifiers.ps1 OR OriginalFileName = CL_Invocation.ps1 OR OriginalFileName = Manage-bde.wsf OR OriginalFileName = Pubprn.vbs OR OriginalFileName = Slmgr.vbs OR OriginalFileName = Syncappvpublishingserver.vbs OR OriginalFileName = winrm.vbs OR OriginalFileName = Pester.bat)|eval CommandLine=lower(CommandLine)|eventstats count(process) as procCount by process|eventstats avg(procCount) as avg stdev(procCount) as stdev|eval lowerBound=(avg-stdev*1.5)|eval isOutlier=if((procCount < lowerBound),1,0)|where isOutlier=1|table host, Image, ParentImage, CommandLine, ParentCommandLine, procCount type: Splunk data_model: Sysmon native diff --git a/analytics/CAR-2020-09-001.yaml b/analytics/CAR-2020-09-001.yaml index 66e4a411..ec4f8d76 100644 --- a/analytics/CAR-2020-09-001.yaml +++ b/analytics/CAR-2020-09-001.yaml @@ -4,48 +4,48 @@ submission_date: 2020/09/10 information_domain: 'Host' platforms: - Windows -subtypes: +subtypes: - File analytic_types: - Situational Awareness contributors: - Olaf Hartong id: CAR-2020-09-001 -description: |- +description: | In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations. -coverage: +coverage: - technique: T1053 - subtechniques: + subtechniques: - T1053.005 - tactics: + tactics: - TA0002 - TA0003 - TA0004 coverage: Low implementations: -- name: Pseudocode - Windows task file creation - description: This is a pseudocode representation of the below splunk search. - code: |- - files = search File:Create - task_files = filter files where ( - (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*") and - image_path != "C:\WINDOWS\system32\svchost.exe") - output task_files - data_model: CAR native - type: Pseudocode -- name: Splunk search - Windows task file creation - description: This Splunk search looks for any files created under the Windows tasks directories. - code: |- - index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\ - *" OR TargetFilename="C:\\Windows\\Tasks\\*") - data_model: Sysmon native - type: Splunk -- name: LogPoint search - Windows task file creation - description: This LogPoint search looks for any files created under the Windows tasks directories. - code: |- - norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*") - data_model: LogPoint native - type: LogPoint + - name: Pseudocode - Windows task file creation + description: This is a pseudocode representation of the below splunk search. + code: | + files = search File:Create + task_files = filter files where ( + (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*") and + image_path != "C:\WINDOWS\system32\svchost.exe") + output task_files + data_model: CAR native + type: Pseudocode + - name: Splunk search - Windows task file creation + description: This Splunk search looks for any files created under the Windows tasks directories. + code: | + index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\ + *" OR TargetFilename="C:\\Windows\\Tasks\\*") + data_model: Sysmon native + type: Splunk + - name: LogPoint search - Windows task file creation + description: This LogPoint search looks for any files created under the Windows tasks directories. + code: | + norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*") + data_model: LogPoint native + type: LogPoint data_model_references: - file/create/file_path - file/create/image_path diff --git a/analytics/CAR-2020-09-002.yaml b/analytics/CAR-2020-09-002.yaml index 0efd59f9..6a02f789 100644 --- a/analytics/CAR-2020-09-002.yaml +++ b/analytics/CAR-2020-09-002.yaml @@ -4,45 +4,45 @@ submission_date: 2020/09/10 information_domain: 'Host' platforms: - Windows -subtypes: +subtypes: - Registry analytic_types: - Situational Awareness contributors: - Olaf Hartong id: CAR-2020-09-002 -description: |- - Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. +description: | + Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. coverage: - - technique: T1546 + - technique: T1546 coverage: Moderate - subtechniques: + subtechniques: - T1546.015 - tactics: + tactics: - TA0003 - TA0004 implementations: -- name: Pseudocode - COM object registry entry modification - description: This is a pseudocode representation of the below splunk search. - code: |- - registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) - clsid_keys = filter registry_keys where ( - key = "*\Software\Classes\CLSID\*") - output clsid_keys - data_model: CAR native - type: Pseudocode -- name: Splunk search - COM object registry entry modification - description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key. - code: |- - index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*" - data_model: Sysmon native - type: Splunk -- name: LogPoint search - COM object registry entry modification - description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key. - code: |- - norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Classes\CLSID\*" - data_model: LogPoint native - type: LogPoint + - name: Pseudocode - COM object registry entry modification + description: This is a pseudocode representation of the below splunk search. + code: | + registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) + clsid_keys = filter registry_keys where ( + key = "*\Software\Classes\CLSID\*") + output clsid_keys + data_model: CAR native + type: Pseudocode + - name: Splunk search - COM object registry entry modification + description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key. + code: | + index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*" + data_model: Sysmon native + type: Splunk + - name: LogPoint search - COM object registry entry modification + description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key. + code: | + norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Classes\CLSID\*" + data_model: LogPoint native + type: LogPoint data_model_references: - registry/add/key - registry/remove/key diff --git a/analytics/CAR-2020-09-003.yaml b/analytics/CAR-2020-09-003.yaml index e7007ca1..ad9d78ab 100644 --- a/analytics/CAR-2020-09-003.yaml +++ b/analytics/CAR-2020-09-003.yaml @@ -4,44 +4,44 @@ submission_date: 2020/09/10 information_domain: 'Host' platforms: - Windows -subtypes: +subtypes: - Process analytic_types: - TTP contributors: - Olaf Hartong id: CAR-2020-09-003 -description: |- +description: | Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers. coverage: - - technique: T1562 + - technique: T1562 coverage: Low - subtechniques: + subtechniques: - T1562.006 - tactics: + tactics: - TA0005 implementations: -- name: Pseudocode - fltmc invocation - description: This is a pseudocode representation of the below splunk search. - code: |- - processes = search Process:Create - fltmc_processes = filter processes where ( - exe = "fltmc.exe" AND command_line = "*unload*") - output fltmc_processes - data_model: CAR native - type: Pseudocode -- name: Splunk search - fltmc invocation - description: This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers. - code: |- - index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe") - data_model: Sysmon native - type: Splunk -- name: LogPoint search - fltmc invocation - description: This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers. - code: |- - norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe") - data_model: LogPoint native - type: LogPoint + - name: Pseudocode - fltmc invocation + description: This is a pseudocode representation of the below splunk search. + code: | + processes = search Process:Create + fltmc_processes = filter processes where ( + exe = "fltmc.exe" AND command_line = "*unload*") + output fltmc_processes + data_model: CAR native + type: Pseudocode + - name: Splunk search - fltmc invocation + description: This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers. + code: | + index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe") + data_model: Sysmon native + type: Splunk + - name: LogPoint search - fltmc invocation + description: This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers. + code: | + norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe") + data_model: LogPoint native + type: LogPoint data_model_references: - process/create/exe - process/create/command_line diff --git a/analytics/CAR-2020-09-004.yaml b/analytics/CAR-2020-09-004.yaml index 133fac15..f3022347 100644 --- a/analytics/CAR-2020-09-004.yaml +++ b/analytics/CAR-2020-09-004.yaml @@ -5,52 +5,52 @@ information_domain: 'Host' platforms: - Windows subtypes: - - Process + - Process - Registry analytic_types: - TTP contributors: - Olaf Hartong id: CAR-2020-09-004 -description: |- +description: | Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality. coverage: - technique: T1552 coverage: Low - subtechniques: + subtechniques: - T1552.001 - T1552.002 - tactics: + tactics: - TA0006 implementations: -- name: Pseudocode - reg.exe password search & powersploit modules - description: This is a pseudocode representation of the below splunk search. - code: |- - processes = search Process:Create - cred_processes = filter processes where ( - command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR - command_line = "reg* query HKCU /f password /t REG_SZ /s" OR - command_line = "*Get-UnattendedInstallFile*" OR - command_line = "*Get-Webconfig*" OR - command_line = "*Get-ApplicationHost*" OR - command_line = "*Get-SiteListPassword*" OR - command_line = "*Get-CachedGPPPassword*" OR - command_line = "*Get-RegistryAutoLogon*") - output cred_processes - data_model: CAR native - type: Pseudocode -- name: Splunk Search - reg.exe password search & powersploit modules - description: This Splunk search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose. - code: |- - ((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*") - data_model: Sysmon native - type: Splunk -- name: LogPoint search - reg.exe password search & powersploit modules - description: This LogPoint search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose. - code: |- - norm_id=WindowsSysmon event_id=1 command IN ["*reg* query HKLM /f password /t REG_SZ /s*", "reg* query HKCU /f password /t REG_SZ /s", "*Get-UnattendedInstallFile*", "*Get-Webconfig*", "*Get-ApplicationHost*", "*Get-SiteListPassword*", "*Get-CachedGPPPassword*", "*Get-RegistryAutoLogon*"] - data_model: LogPoint native - type: LogPoint + - name: Pseudocode - reg.exe password search & powersploit modules + description: This is a pseudocode representation of the below splunk search. + code: | + processes = search Process:Create + cred_processes = filter processes where ( + command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR + command_line = "reg* query HKCU /f password /t REG_SZ /s" OR + command_line = "*Get-UnattendedInstallFile*" OR + command_line = "*Get-Webconfig*" OR + command_line = "*Get-ApplicationHost*" OR + command_line = "*Get-SiteListPassword*" OR + command_line = "*Get-CachedGPPPassword*" OR + command_line = "*Get-RegistryAutoLogon*") + output cred_processes + data_model: CAR native + type: Pseudocode + - name: Splunk Search - reg.exe password search & powersploit modules + description: This Splunk search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose. + code: | + ((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*") + data_model: Sysmon native + type: Splunk + - name: LogPoint search - reg.exe password search & powersploit modules + description: This LogPoint search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose. + code: | + norm_id=WindowsSysmon event_id=1 command IN ["*reg* query HKLM /f password /t REG_SZ /s*", "reg* query HKCU /f password /t REG_SZ /s", "*Get-UnattendedInstallFile*", "*Get-Webconfig*", "*Get-ApplicationHost*", "*Get-SiteListPassword*", "*Get-CachedGPPPassword*", "*Get-RegistryAutoLogon*"] + data_model: LogPoint native + type: LogPoint data_model_references: - process/create/command_line d3fend_mappings: diff --git a/analytics/CAR-2020-09-005.yaml b/analytics/CAR-2020-09-005.yaml index c6a49657..b3976467 100644 --- a/analytics/CAR-2020-09-005.yaml +++ b/analytics/CAR-2020-09-005.yaml @@ -11,40 +11,40 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-09-005 -description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. +description: | + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. coverage: - technique: T1546 coverage: Moderate - subtechniques: + subtechniques: - T1546.010 - tactics: + tactics: - TA0003 - TA0004 implementations: -- name: Pseudocode - AppInit DLL registry modification - description: This is a pseudocode representation of the below splunk search. - code: |- - registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) - appinit_keys = filter registry_keys where ( - key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR - key = "*\SOFTWARE\\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"" - ) - output clsid_keys - data_model: CAR native - type: Pseudocode -- name: Splunk search - AppInit DLL registry modification - description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys. - code: |- - index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*") - data_model: Sysmon native - type: Splunk -- name: LogPoint search - AppInit DLL registry modification - description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys. - code: |- - norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*", "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"] - data_model: LogPoint native - type: LogPoint + - name: Pseudocode - AppInit DLL registry modification + description: This is a pseudocode representation of the below splunk search. + code: | + registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) + appinit_keys = filter registry_keys where ( + key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR + key = "*\SOFTWARE\\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"" + ) + output clsid_keys + data_model: CAR native + type: Pseudocode + - name: Splunk search - AppInit DLL registry modification + description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys. + code: | + index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*") + data_model: Sysmon native + type: Splunk + - name: LogPoint search - AppInit DLL registry modification + description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys. + code: | + norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*", "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"] + data_model: LogPoint native + type: LogPoint data_model_references: - registry/add/key - registry/remove/key diff --git a/analytics/CAR-2020-11-001.yaml b/analytics/CAR-2020-11-001.yaml index 1253de8e..65b10d86 100644 --- a/analytics/CAR-2020-11-001.yaml +++ b/analytics/CAR-2020-11-001.yaml @@ -1,3 +1,4 @@ +--- title: Boot or Logon Initialization Scripts submission_date: 2020/11/30 information_domain: Host @@ -11,8 +12,8 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-001 -description: |- - Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. +description: | + Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path. coverage: - technique: T1037 tactics: @@ -24,7 +25,7 @@ coverage: implementations: - name: Pseudocode - logon run script key added to registry using reg.exe on commandline, or new logon scipt keys in registry from any source. description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create logon_script_key_processes = filter processes where ( command_line = "*reg*add*\Environment*UserInitMprLogonScript") @@ -36,13 +37,13 @@ implementations: type: Pseudocode - name: Splunk Search -- logon scripts description: Look for commands for adding a logon script as a registry value, as well as direct registry events for the same thing. - code: |- + code: | (index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\System32\\reg.exe" CommandLine="*add*\\Environment*UserInitMprLogonScript") OR (index=__your_sysmon_index__ (EventCode=12 OR EventCode=14 OR EventCode=13) TargetObject="*\\Environment*UserInitMprLogonScript") data_model: Sysmon native type: Splunk - name: LogPoint Search -- logon scripts description: Look for commands for adding a logon script as a registry value, as well as direct registry events for the same thing. - code: |- + code: | norm_id=WindowsSysmon ((event_id=1 image="C:\Windows\System32\reg.exe" command="*add*\Environment*UserInitMprLogonScript") OR (event_id IN [12, 13, 14] target_object="*\Environment*UserInitMprLogonScript")) data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-002.yaml b/analytics/CAR-2020-11-002.yaml index 87d86c7e..d676caf0 100644 --- a/analytics/CAR-2020-11-002.yaml +++ b/analytics/CAR-2020-11-002.yaml @@ -1,3 +1,4 @@ +--- title: Local Network Sniffing submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-002 -description: |- +description: | Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy. coverage: - technique: T1040 @@ -21,7 +22,7 @@ coverage: implementations: - name: Pseudocode - commands containing known network sniffing application names description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create sniffer_processes = filter processes where ( exe = "tshark.exe" OR @@ -35,13 +36,13 @@ implementations: type: Pseudocode - name: Splunk Search - common network traffic sniffing apps being run description: look for common network traffic sniffing apps being run - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) (Image="*tshark.exe" OR Image="*windump.exe" OR (Image="*logman.exe" AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe") OR Image="*tcpdump.exe" OR Image="*wprui.exe" OR Image="*wpr.exe") data_model: Sysmon native type: Splunk - name: LogPoint Search - common network traffic sniffing apps being run description: look for common network traffic sniffing apps being run - code: |- + code: | norm_id=WindowsSysmon event_id=1 (image="*\tshark.exe" OR image="*\windump.exe" OR (image="*\logman.exe" -parent_image="?" -parent_image="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") OR image="*\tcpdump.exe" OR image="*\wprui.exe" OR image="*\wpr.exe") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-003.yaml b/analytics/CAR-2020-11-003.yaml index 5223e141..acc8da98 100644 --- a/analytics/CAR-2020-11-003.yaml +++ b/analytics/CAR-2020-11-003.yaml @@ -1,3 +1,4 @@ +--- title: DLL Injection with Mavinject submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-003 -description: |- +description: | Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic. coverage: - technique: T1055 @@ -23,7 +24,7 @@ coverage: implementations: - name: Pseudocode - mavinject process and its common argument description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create mavinject_processes = filter processes where ( exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" @@ -32,13 +33,13 @@ implementations: type: Pseudocode - name: Splunk Search - mavinject description: Search for instances of mavinject.exe or mavinject32.exe - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*") data_model: Sysmon native type: Splunk - name: LogPoint Search - mavinject description: Search for instances of mavinject.exe or mavinject32.exe - code: |- + code: | norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-004.yaml b/analytics/CAR-2020-11-004.yaml index 1cb9f909..84f833ad 100644 --- a/analytics/CAR-2020-11-004.yaml +++ b/analytics/CAR-2020-11-004.yaml @@ -1,3 +1,4 @@ +--- title: Processes Started From Irregular Parent submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-004 -description: |- +description: | Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event. coverage: - technique: T1055 @@ -22,7 +23,7 @@ coverage: implementations: - name: Pseudocode - common processes that do not have the correct parent description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create mismatch_processes = filter processes where ( parent_exe exists AND (exe="smss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="System") OR @@ -41,7 +42,7 @@ implementations: type: Pseudocode - name: Splunk Search - parent/child mismatch description: Looks for processes that do not have the expected parent. Common Splunk forwarder applications that break these rules are whitelisted; unique environments may require additional whitelist items. - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe" AND ((Image="C:\\Windows\System32\\smss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="System")) OR (Image="C:\\Windows\\System32\\csrss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR @@ -58,13 +59,13 @@ implementations: type: Splunk - name: LogPoint Search - parent/child mismatch description: Looks for processes that do not have the expected parent. Unique environments may require additional whitelist items. - code: |- - norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR - (image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR - (image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe" (-parent_image="*\wininit.exe" -parent_image="*\winlogon.exe")) OR - (image="*\LogonUI.exe" (-parent_image="*\winlogon.exe" -parent_image="*\wininit.exe")) OR (image="*\services.exe" -parent_image="*\wininit.exe") OR - (image="*\spoolsv.exe" -parent_image="*\services.exe") OR (image="*\taskhost.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR - (image="*\taskhostw.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR + code: | + norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR + (image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR + (image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe" (-parent_image="*\wininit.exe" -parent_image="*\winlogon.exe")) OR + (image="*\LogonUI.exe" (-parent_image="*\winlogon.exe" -parent_image="*\wininit.exe")) OR (image="*\services.exe" -parent_image="*\wininit.exe") OR + (image="*\spoolsv.exe" -parent_image="*\services.exe") OR (image="*\taskhost.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR + (image="*\taskhostw.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR (image="*\userinit.exe" (-parent_image="*\dwm.exe" -parent_image="*\winlogon.exe"))) data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-005.yaml b/analytics/CAR-2020-11-005.yaml index 0618b71c..920597b5 100644 --- a/analytics/CAR-2020-11-005.yaml +++ b/analytics/CAR-2020-11-005.yaml @@ -1,3 +1,4 @@ +--- title: Clear Powershell Console Command History submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-005 -description: |- +description: | Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system. coverage: - technique: T1070 @@ -22,7 +23,7 @@ coverage: implementations: - name: Pseudocode - clear or disable Powershell console history via commandline description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create clear_commands = filter processes where ( command_line ="*rm (Get-PSReadlineOption).HistorySavePath*" OR command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") OR command_linee="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt") @@ -31,13 +32,13 @@ implementations: type: Pseudocode - name: Splunk Search - clear command history via Powershell description: Look for powershell commands that would clear command history - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt") data_model: Sysmon native type: Splunk - name: LogPoint Search - clear command history via Powershell description: Look for powershell commands that would clear command history - code: |- + code: | norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" OR command="*del (Get-PSReadlineOption).HistorySavePath*" OR command="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR command="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-006.yaml b/analytics/CAR-2020-11-006.yaml index 77b482b5..ae16c632 100644 --- a/analytics/CAR-2020-11-006.yaml +++ b/analytics/CAR-2020-11-006.yaml @@ -1,3 +1,4 @@ +--- title: Local Permission Group Discovery submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-006 -description: |- +description: | Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives. coverage: - technique: T1069 @@ -23,7 +24,7 @@ coverage: implementations: - name: Pseudocode - net.exe instances description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create net_processes = filter processes where ( exe = "net.exe" AND ( @@ -37,13 +38,13 @@ implementations: type: Pseudocode - name: Splunk Search - net.exe instances description: Look for instances of net.exe - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*") data_model: Sysmon native type: Splunk - name: LogPoint Search - net.exe instances description: Look for instances of net.exe - code: |- + code: | norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-007.yaml b/analytics/CAR-2020-11-007.yaml index be69d59c..a9b5e3ea 100644 --- a/analytics/CAR-2020-11-007.yaml +++ b/analytics/CAR-2020-11-007.yaml @@ -1,3 +1,4 @@ +--- title: Network Share Connection Removal submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-007 -description: |- +description: | Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event. coverage: - technique: T1070 @@ -22,7 +23,7 @@ coverage: implementations: - name: Pseudocode - network shares being removed via the command line description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create target_processes = filter processes where ( (exe="C:\\Windows\\System32\\net.exe" AND command_line="*delete*") OR @@ -33,13 +34,13 @@ implementations: type: Pseudocode - name: Splunk Search - delete network shares description: looks network shares being deleted from the command line - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*") data_model: Sysmon native type: Splunk - name: LogPoint Search - delete network shares description: looks network shares being deleted from the command line - code: |- + code: | norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\System32\net.exe" command="*delete*") OR command="*Remove-SmbShare*" OR command="*Remove-FileShare*") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-008.yaml b/analytics/CAR-2020-11-008.yaml index 7f7437a0..629561c4 100644 --- a/analytics/CAR-2020-11-008.yaml +++ b/analytics/CAR-2020-11-008.yaml @@ -1,3 +1,4 @@ +--- title: MSBuild and msxsl submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-008 -description: |- +description: | Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio. coverage: - technique: T1127 @@ -22,7 +23,7 @@ coverage: implementations: - name: Pseudocode - msbuild description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create target_processes = filter processes where ( (exe="C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe" OR exe="C:\Windows\Microsoft.NET\Framework*\msbuild.exe" OR exe="C:\users\*\appdata\roaming\microsoft\msxsl.exe") AND @@ -32,13 +33,13 @@ implementations: type: Pseudocode - name: Splunk Search - msbuild description: Looks for all instances of msbuild.exe or msxsl.exe - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\bin\\MSBuild.exe" OR Image="C:\\Windows\\Microsoft.NET\\Framework*\\msbuild.exe" OR Image="C:\\users\\*\\appdata\\roaming\\microsoft\\msxsl.exe") ParentImage!="*\\Microsoft Visual Studio*") data_model: Sysmon native type: Splunk - name: LogPoint Search - msbuild description: Looks for all instances of msbuild.exe or msxsl.exe - code: |- + code: | norm_id=WindowsSysmon event_id=1 (image IN ["C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe", "C:\Windows\Microsoft.NET\Framework*\msbuild.exe", "C:\Users\*\appdata\roaming\microsoft\msxsl.exe") -parent_image="*\Microsoft Visual Studio*") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-009.yaml b/analytics/CAR-2020-11-009.yaml index df030754..0ec150c2 100644 --- a/analytics/CAR-2020-11-009.yaml +++ b/analytics/CAR-2020-11-009.yaml @@ -1,3 +1,4 @@ +--- title: Compiled HTML Access submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-009 -description: |- +description: | Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic. coverage: - technique: T1218 @@ -22,7 +23,7 @@ coverage: implementations: - name: Pseudocode - instances of hh.exe description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe") output target_processes @@ -30,13 +31,13 @@ implementations: type: Pseudocode - name: Splunk Search - hh.exe description: looks all instances of hh.exe - code: |- + code: | (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe") data_model: Sysmon native type: Splunk - name: LogPoint Search - hh.exe description: looks all instances of hh.exe - code: |- + code: | norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe") data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-010.yaml b/analytics/CAR-2020-11-010.yaml index 0212b6fb..5ade0c80 100644 --- a/analytics/CAR-2020-11-010.yaml +++ b/analytics/CAR-2020-11-010.yaml @@ -1,3 +1,4 @@ +--- title: CMSTP submission_date: 2020/11/30 information_domain: Host @@ -24,7 +25,7 @@ coverage: implementations: - name: Pseudocode - CMSTP description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create target_processes = filter processes where ( exe="C:\Windows\System32\CMSTP.exe" AND @@ -34,13 +35,13 @@ implementations: type: Pseudocode - name: Splunk Search - CMSTP description: looks for instances of CMSTP.exe that are combined with external communication - code: |- + code: | (index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp)) data_model: Sysmon native type: Splunk - name: LogPoint Search - CMSTP description: looks for instances of CMSTP.exe that are combined with external communication - code: |- + code: | norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2020-11-011.yaml b/analytics/CAR-2020-11-011.yaml index e1f258f7..77c9de4c 100644 --- a/analytics/CAR-2020-11-011.yaml +++ b/analytics/CAR-2020-11-011.yaml @@ -1,3 +1,4 @@ +--- title: Registry Edit from Screensaver submission_date: 2020/11/30 information_domain: Host @@ -10,7 +11,7 @@ analytic_types: contributors: - Olaf Hartong id: CAR-2020-11-011 -description: |- +description: | Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs. coverage: - technique: T1546 @@ -23,7 +24,7 @@ coverage: implementations: - name: Pseudocode - Screensaver description: This is a pseudocode representation of the below splunk search. - code: |- + code: | reg_events = search Registry:add or Registry:edit scr_reg_events = filter processes where ( key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND @@ -32,13 +33,13 @@ implementations: type: Pseudocode - name: Splunk Search - Screensaver description: looks creations of edits of the SCRNSAVE.exe registry key - code: |- + code: | index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" data_model: Sysmon native type: Splunk - name: LogPoint Search - Screensaver description: looks creations of edits of the SCRNSAVE.exe registry key - code: |- + code: | norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE" data_model: LogPoint native type: LogPoint diff --git a/analytics/CAR-2021-01-001.yaml b/analytics/CAR-2021-01-001.yaml index 47c65367..2f365dcb 100644 --- a/analytics/CAR-2021-01-001.yaml +++ b/analytics/CAR-2021-01-001.yaml @@ -20,12 +20,12 @@ coverage: tactics: - TA0007 implementations: -- name: Splunk search - Identifying Internal hosts and services for lateral movement - description: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query - code: |- - sourcetype='firewall_logs' dest_ip = 'internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5 - data_model: Sysmon native - type: Splunk + - name: Splunk search - Identifying Internal hosts and services for lateral movement + description: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query + code: |- + sourcetype='firewall_logs' dest_ip = 'internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5 + data_model: Sysmon native + type: Splunk data_model_references: - flow/start/dest_ip d3fend_mappings: diff --git a/analytics/CAR-2021-01-002.yaml b/analytics/CAR-2021-01-002.yaml index fb7c93e5..e0769459 100644 --- a/analytics/CAR-2021-01-002.yaml +++ b/analytics/CAR-2021-01-002.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Cyware Labs id: CAR-2021-01-002 -description: |- +description: | Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands. coverage: - technique: T1059 @@ -20,8 +20,8 @@ coverage: - TA0002 implementations: - name: Splunk search - Identifying possible malware activity via unusually long command line strings - description: This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length - code: |- + description: This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length + code: | index=* sourcetype="xmlwineventlog" EventCode=4688 |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost data_model: Sysmon native type: Splunk diff --git a/analytics/CAR-2021-01-003.yaml b/analytics/CAR-2021-01-003.yaml index 86758b7d..e153def1 100644 --- a/analytics/CAR-2021-01-003.yaml +++ b/analytics/CAR-2021-01-003.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Cyware Labs id: CAR-2021-01-003 -description: |- +description: | In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. coverage: - technique: T1070 @@ -22,8 +22,8 @@ coverage: - TA0005 implementations: - name: Splunk search - Detecting log clearing with wevtutil - description: This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs. - code: |- + description: This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs. + code: | index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) data_model: Sysmon native type: Splunk diff --git a/analytics/CAR-2021-01-004.yaml b/analytics/CAR-2021-01-004.yaml index 2fe6d478..1a584d9c 100644 --- a/analytics/CAR-2021-01-004.yaml +++ b/analytics/CAR-2021-01-004.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Cyware Labs id: CAR-2021-01-004 -description: |- +description: | After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. coverage: - technique: T1068 @@ -20,8 +20,8 @@ coverage: - TA0004 implementations: - name: Splunk search - Unusual Child Process For Spoolsv.exe Or Connhost.exe - description: This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity. - code: |- + description: This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity. + code: | (index=__your_sysmon_index__ EventCode=1) (Image=C:\\Windows\\System32\\spoolsv.exe* OR Image=C:\\Windows\\System32\\conhost.exe) ParentImage = "C:\\Windows\\System32\\cmd.exe" data_model: Sysmon native type: Splunk diff --git a/analytics/CAR-2021-01-006.yaml b/analytics/CAR-2021-01-006.yaml index 3c1b1909..8e408f66 100644 --- a/analytics/CAR-2021-01-006.yaml +++ b/analytics/CAR-2021-01-006.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Cyware Labs id: CAR-2021-01-006 -description: |- +description: | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. coverage: - technique: T1559 @@ -21,21 +21,21 @@ coverage: tactics: - TA0002 implementations: -- name: Splunk search - Unusual Child Process spawned using DDE exploit - description: This Splunk query looks for any executable invocations from an Excel file. - code: |- - index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe" - data_model: Sysmon native - type: Splunk -- name: Splunk search - Unusual Child Process spawned using DDE exploit - description: This Splunk query looks for any executable invocations from an Excel file. - code: |- - processes = search Process:Create - target_processes = filter processes where ( - (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe") - AND image="*.exe" - ) - type: Pseudocode + - name: Splunk search - Unusual Child Process spawned using DDE exploit + description: This Splunk query looks for any executable invocations from an Excel file. + code: | + index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe" + data_model: Sysmon native + type: Splunk + - name: Splunk search - Unusual Child Process spawned using DDE exploit + description: This Splunk query looks for any executable invocations from an Excel file. + code: | + processes = search Process:Create + target_processes = filter processes where ( + (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe") + AND image="*.exe" + ) + type: Pseudocode data_model_references: - process/create/command_line d3fend_mappings: diff --git a/analytics/CAR-2021-01-007.yaml b/analytics/CAR-2021-01-007.yaml index ba2cf335..2ebcdd70 100644 --- a/analytics/CAR-2021-01-007.yaml +++ b/analytics/CAR-2021-01-007.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Cyware Labs id: CAR-2021-01-007 -description: |- +description: | In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. coverage: - technique: T1562 @@ -21,21 +21,21 @@ coverage: tactics: - TA0005 implementations: -- name: Splunk search - Detecting Tampering of Windows Defender Command Prompt - description: This query looks for the specific use of service control for querying or trying to stop Windows Defender. - code: |- - index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe" | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$" - data_model: Sysmon native - type: Splunk -- name: Splunk search - Detecting Tampering of Windows Defender Command Prompt - description: This query looks for the specific use of service control for querying or trying to stop Windows Defender. - code: |- - processes = search Process:Create - target_processes = filter processes where ( - (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*") - ) - output target_processes - type: pseudocode + - name: Splunk search - Detecting Tampering of Windows Defender Command Prompt + description: This query looks for the specific use of service control for querying or trying to stop Windows Defender. + code: | + index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe" | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$" + data_model: Sysmon native + type: Splunk + - name: Splunk search - Detecting Tampering of Windows Defender Command Prompt + description: This query looks for the specific use of service control for querying or trying to stop Windows Defender. + code: | + processes = search Process:Create + target_processes = filter processes where ( + (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*") + ) + output target_processes + type: pseudocode data_model_references: - process/create/command_line d3fend_mappings: diff --git a/analytics/CAR-2021-01-008.yaml b/analytics/CAR-2021-01-008.yaml index 42bcb323..6e0b03a5 100644 --- a/analytics/CAR-2021-01-008.yaml +++ b/analytics/CAR-2021-01-008.yaml @@ -21,21 +21,21 @@ coverage: tactics: - TA0004 implementations: -- name: Detect disabling of UAC via reg.exe - description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC. - code: |- - sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%") - data_model: Sysmon native - type: Splunk -- name: Detect disabling of UAC via reg.exe - description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC. - code: |- - processes = search Process:Create - cmd_processes = filter processes where ( - (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%") - ) - data_model: Sysmon native - type: pseudocode + - name: Detect disabling of UAC via reg.exe + description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC. + code: | + sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%") + data_model: Sysmon native + type: Splunk + - name: Detect disabling of UAC via reg.exe + description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC. + code: | + processes = search Process:Create + cmd_processes = filter processes where ( + (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%") + ) + data_model: Sysmon native + type: pseudocode data_model_references: - process/create/image_path - process/create/command_line diff --git a/analytics/CAR-2021-01-009.yaml b/analytics/CAR-2021-01-009.yaml index e3d088da..cf0f96fe 100644 --- a/analytics/CAR-2021-01-009.yaml +++ b/analytics/CAR-2021-01-009.yaml @@ -1,4 +1,3 @@ - --- title: Detecting Shadow Copy Deletion or Resize submission_date: 2020/12/11 @@ -13,8 +12,7 @@ analytic_types: contributors: - Cyware Labs, Lucas Heiligenstein id: CAR-2021-01-009 -description: |- - After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics. +description: After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics. coverage: - technique: T1490 coverage: Low @@ -22,18 +20,18 @@ coverage: - TA0040 implementations: - name: Splunk Search - Detecting Shadow Copy Deletion or Resize - description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity. - code: |- + description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity. + code: | ((EventCode="4688" OR EventCode="1") (CommandLine="*vssadmin* *delete* *shadows*" OR CommandLine="*wmic* *shadowcopy* *delete*" OR CommandLine="*vssadmin* *resize* *shadowstorage*")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="*Win32_ShadowCopy*") type: Splunk - name: Elastic Search - Detecting Shadow Copy Deletion or Resize description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity. - code: |- + code: | (EventCode:("4688" OR "1") AND process.command_line:(*vssadmin*\ *delete*\ *shadows* OR *wmic*\ *shadowcopy*\ *delete* OR *vssadmin*\ *resize*\ *shadowstorage*)) OR (EventCode:"5857" AND ProviderName:"MSVSS__PROVIDER") OR (EventCode:"5858" AND Operation:*Win32_ShadowCopy*) type: Elastic - name: LogPoint Search - Detecting Shadow Copy Deletion or Resize description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity. - code: |- + code: | (EventCode IN ["4688", "1"] CommandLine IN ["*vssadmin* *delete* *shadows*", "*wmic* *shadowcopy* *delete*", "*vssadmin* *resize* *shadowstorage*"]) OR (EventCode IN "5857" ProviderName IN "MSVSS__PROVIDER") OR (EventCode IN "5858" Operation IN "*Win32_ShadowCopy*") type: LogPoint data_model_references: @@ -43,12 +41,12 @@ d3fend_mappings: id: D3-PSA label: Process Spawn Analysis unit_tests: -- description: Shadow copy deletion with vssadmin - commands: - - 'vssadmin.exe delete shadows /all /quiet' -- description: Shadow copy deletion with wmic - commands: - - 'wmic shadowcopy delete' -- description: Shadow copy resize with vssadmin - commands: - - 'vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB' + - description: Shadow copy deletion with vssadmin + commands: + - 'vssadmin.exe delete shadows /all /quiet' + - description: Shadow copy deletion with wmic + commands: + - 'wmic shadowcopy delete' + - description: Shadow copy resize with vssadmin + commands: + - 'vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB' diff --git a/analytics/CAR-2021-02-001.yaml b/analytics/CAR-2021-02-001.yaml index f4986f19..eafd966e 100644 --- a/analytics/CAR-2021-02-001.yaml +++ b/analytics/CAR-2021-02-001.yaml @@ -11,8 +11,8 @@ analytic_types: contributors: - Nichols Jasper id: CAR-2021-02-001 -description: |- - A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. +description: | + A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. coverage: - technique: T1505 tactics: @@ -23,12 +23,12 @@ coverage: implementations: - name: Pseudocode - Look for suspicious process tree beginning with web service description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process:Create suspicious_processes = filter processes where ( (parent_exe == "w3wp.exe" OR parent_exe == "httpd.exe" OR - parent_exe == "tomcat*.exe" OR + parent_exe == "tomcat*.exe" OR parent_exe == "nginx.exe" ) AND (exe == "cmd.exe" OR exe == "powershell.exe" OR @@ -41,11 +41,11 @@ implementations: data_model: CAR native type: Pseudocode - name: Splunk Search - webshell-indicative process tree - description: Look for host enumeration commands spawned by web services. - code: |- - (index=__your_sysmon_index__ EventCode=1) + description: Look for host enumeration commands spawned by web services. + code: | + (index=__your_sysmon_index__ EventCode=1) (ParentImage="C:\\Windows\\System32\\*w3wp.exe" OR ParentImage="*httpd.exe" OR ParentImage="*tomcat*.exe" OR ParentImage="*nginx.exe") - (Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe") + (Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe") data_model: Sysmon native type: Splunk data_model_references: diff --git a/analytics/CAR-2021-02-002.yaml b/analytics/CAR-2021-02-002.yaml index afde9d72..7d659e80 100644 --- a/analytics/CAR-2021-02-002.yaml +++ b/analytics/CAR-2021-02-002.yaml @@ -11,9 +11,9 @@ analytic_types: contributors: - Sebastien Damaye id: CAR-2021-02-002 -description: |- - Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. -coverage: +description: | + Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. +coverage: - technique: T1548 tactics: - TA0004 @@ -22,7 +22,7 @@ coverage: implementations: - name: Pseudocode - Meterpreter and Cobalt Strike description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process suspicious_processes = filter processes where ( (parent_image_path == C:\Windows\System32\services.exe" AND @@ -36,14 +36,14 @@ implementations: type: Pseudocode - name: Splunk Search - Meterpreter and Cobalt Strike description: Look for instances GetSystem elevation performed by Meterpreter or Cobalt Strike - code: |- + code: | index=__your_sysmon_index__ (ParentImage="C:\\Windows\\System32\\services.exe" Image="C:\\Windows\\System32\\cmd.exe" (CommandLine="*echo*" AND CommandLine="*\\pipe\\*")) OR (Image="C:\\Windows\\System32\\rundll32.exe" CommandLine="*,a /p:*") data_model: Sysmon native type: Splunk - name: Pseudocode - Empire and PoshC2 description: This is a pseudocode representation of the below splunk search. - code: |- + code: | processes = search Process suspicious_processes = filter processes where ( (image_path == "C:\Windows\System32\cmd.exe" OR @@ -55,7 +55,7 @@ implementations: type: Pseudocode - name: Splunk Search - Empire and PoshC2 description: Look for instances GetSystem elevation performed by Empire or PoshC2 - code: |- + code: | index=__your_sysmon_index__ (Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*") (CommandLine="*echo*" AND CommandLine="*\pipe\*") data_model: Sysmon native type: Splunk diff --git a/analytics/CAR-2021-04-001.yaml b/analytics/CAR-2021-04-001.yaml index 7f4fdd01..34fb05a9 100644 --- a/analytics/CAR-2021-04-001.yaml +++ b/analytics/CAR-2021-04-001.yaml @@ -11,7 +11,7 @@ analytic_types: contributors: - Sebastien Damaye id: CAR-2021-04-001 -description: |- +description: | [Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows: "Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names." @@ -45,7 +45,7 @@ coverage: implementations: - name: Pseudocode - Common Windows Process Masquerading description: Looks for mismatches between process names and their image paths. - code: |- + code: | processes = search Process:* suspicious_processes = filter processes where ( (exe=svchost.exe AND (image_path!="C:\\Windows\\System32\\svchost.exe" OR process_path!="C:\\Windows\\SysWow64\\svchost.exe")) @@ -58,13 +58,13 @@ implementations: OR (exe=services.exe AND image_path!="C:\\Windows\\System32\\services.exe") OR (exe=lsm.exe AND image_path!="C:\\Windows\\System32\\lsm.exe") OR (exe=explorer.exe AND image_path!="C:\\Windows\\explorer.exe") - ) + ) output suspicious_processes data_model: CAR native type: Pseudocode - name: Splunk Search - Common Windows Process Masquerading description: Splunk search version of the above pseudocode. - code: |- + code: | index=__your_sysmon_index__ source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND ( (process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe")) OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe") @@ -76,7 +76,7 @@ implementations: OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe") OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe") OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe") - ) + ) data_model: Sysmon native type: Splunk data_model_references: diff --git a/analytics/CAR-2021-05-001.yaml b/analytics/CAR-2021-05-001.yaml index 87557c43..efe51f48 100644 --- a/analytics/CAR-2021-05-001.yaml +++ b/analytics/CAR-2021-05-001.yaml @@ -1,61 +1,62 @@ +--- title: Attempt To Add Certificate To Untrusted Store submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-001 -description: Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity. +description: Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity. coverage: -- technique: T1553 - tactics: - - TA0005 - coverage: Moderate - subtechniques: - - T1553.004 + - technique: T1553 + tactics: + - TA0005 + coverage: Moderate + subtechniques: + - T1553.004 implementations: -- name: Splunk code - description: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also - be ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. - code: '| tstats count min(_time) as firstTime values(Processes.process) as process - max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil* - (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name - Processes.user' - type: Splunk - data_model: Endpoint -- name: Pseudocode – detect attempts to add a certificate to a certificate store - description: Pseudocode implementation of the splunk search below - code: |- - processes = search Process:Create - addstore_commands = filter processes where ( - exe =”C:\Windows\System32\certutil.exe” AND command_line="*-addstore*” ) - output addstore_commands - data_model: CAR native - type: Pseudocode + - name: Splunk code + description: You must be ingesting data that records process activity from your + hosts to populate the Endpoint data model in the Processes node. You must also + be ingesting logs with both the process name and command line from your endpoints. + The command-line arguments are mapped to the "process" field in the Endpoint data + model. + code: '| tstats count min(_time) as firstTime values(Processes.process) as process + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil* + (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name + Processes.user' + type: Splunk + data_model: Endpoint + - name: Pseudocode – detect attempts to add a certificate to a certificate store + description: Pseudocode implementation of the splunk search below + code: | + processes = search Process:Create + addstore_commands = filter processes where ( + exe =”C:\Windows\System32\certutil.exe” AND command_line="*-addstore*” ) + output addstore_commands + data_model: CAR native + type: Pseudocode unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1553.004](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004) - against a Windows target. - commands: - - Invoke-AtomicTest T1553.004 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1553.004](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004) + against a Windows target. + commands: + - Invoke-AtomicTest T1553.004 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-002.yaml b/analytics/CAR-2021-05-002.yaml index 203c8308..78d0d311 100644 --- a/analytics/CAR-2021-05-002.yaml +++ b/analytics/CAR-2021-05-002.yaml @@ -1,61 +1,61 @@ +--- title: Batch File Write to System32 submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-002 description: While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. coverage: -- technique: T1204 - subtechniques: - - T1204.002 - tactics: - - TA0002 - coverage: Moderate + - technique: T1204 + subtechniques: + - T1204.002 + tactics: + - TA0002 + coverage: Moderate implementations: -- name: Pseudocode – Batch file created in the Windows system32 directory tree - description: Pseudocode implementation of the Splunk search below - code: |- - files = search File:create - batch_files = filter files where ( - extension =".bat" AND file_path = "C:\Windows\system32*" ) - output batch_files - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: You must be ingesting data that records the file-system activity from - your hosts to populate the Endpoint file-system data-model node. If you are using - Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which - you want to collect data. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) - as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user - from datamodel=Endpoint.Filesystem by Filesystem.file_path | rex field=file_name - "(?\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat' - type: Splunk - data_model: Endpoint - + - name: Pseudocode – Batch file created in the Windows system32 directory tree + description: Pseudocode implementation of the Splunk search below + code: | + files = search File:create + batch_files = filter files where ( + extension =".bat" AND file_path = "C:\Windows\system32*" ) + output batch_files + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: You must be ingesting data that records the file-system activity from + your hosts to populate the Endpoint file-system data-model node. If you are using + Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which + you want to collect data. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) + as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user + from datamodel=Endpoint.Filesystem by Filesystem.file_path | rex field=file_name + "(?\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1204.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1204.002) - against a Windows target. - commands: - - Invoke-AtomicTest T1204.002 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1204.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1204.002) + against a Windows target. + commands: + - Invoke-AtomicTest T1204.002 data_model_references: -- file/create/extension -- file/create/file_path + - file/create/extension + - file/create/file_path d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-003.yaml b/analytics/CAR-2021-05-003.yaml index 7fd2b3fe..0691da52 100644 --- a/analytics/CAR-2021-05-003.yaml +++ b/analytics/CAR-2021-05-003.yaml @@ -1,59 +1,60 @@ +--- title: BCDEdit Failure Recovery Modification submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-003 description: This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery. coverage: -- technique: T1490 - tactics: - - TA0040 - coverage: Moderate + - technique: T1490 + tactics: + - TA0040 + coverage: Moderate implementations: -- name: Pseudocode – detect attempts to add a certificate to a certificate store - description: Pseudocode implementation of the splunk search below - code: |- - processes = search Process:Create - bcdedit_commands = filter processes where ( - exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" ) - output bcedit_commands - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: You must be ingesting endpoint data that tracks process activity, including - parent-child relationships from your endpoints to populate the Endpoint data model - in the Processes node. Tune based on parent process names. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" - (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name - Processes.dest Processes.user' - type: Splunk - data_model: Endpoint + - name: Pseudocode – detect attempts to add a certificate to a certificate store + description: Pseudocode implementation of the splunk search below + code: | + processes = search Process:Create + bcdedit_commands = filter processes where ( + exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" ) + output bcedit_commands + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: You must be ingesting endpoint data that tracks process activity, including + parent-child relationships from your endpoints to populate the Endpoint data model + in the Processes node. Tune based on parent process names. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" + (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name + Processes.dest Processes.user' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1490](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1490) - against a Windows target. - commands: - - Invoke-AtomicTest T1490 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1490](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1490) + against a Windows target. + commands: + - Invoke-AtomicTest T1490 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-004.yaml b/analytics/CAR-2021-05-004.yaml index 5dde8045..993b4906 100644 --- a/analytics/CAR-2021-05-004.yaml +++ b/analytics/CAR-2021-05-004.yaml @@ -1,14 +1,15 @@ +--- title: BITS Job Persistence submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-004 description: The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. @@ -18,48 +19,48 @@ description: The following query identifies Microsoft Background Intelligent Tra to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. coverage: -- technique: T1197 - tactics: - - TA0005 - - TA0003 - coverage: Moderate + - technique: T1197 + tactics: + - TA0005 + - TA0003 + coverage: Moderate implementations: -- name: Pseudocode – detect a BITS job being scheduled - description: Pseudocode implementation of the splunk search below - code: |- - processes = search Process:Create - bitsadmin_commands = filter processes where ( - exe ="C:\Windows\System32\bitsadmin.exe" AND command_line includes one of [*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,*resume*]) - output bitsadmin_commands - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=bitsadmin.exe Processes.process IN (*create*, *addfile*, - *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, - *resume* ) by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id' - type: Splunk - data_model: Endpoint + - name: Pseudocode – detect a BITS job being scheduled + description: Pseudocode implementation of the splunk search below + code: | + processes = search Process:Create + bitsadmin_commands = filter processes where ( + exe ="C:\Windows\System32\bitsadmin.exe" AND command_line includes one of [*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,*resume*]) + output bitsadmin_commands + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=bitsadmin.exe Processes.process IN (*create*, *addfile*, + *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, + *resume* ) by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197) - against a Windows target. - commands: - - Invoke-AtomicTest T1197 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197) + against a Windows target. + commands: + - Invoke-AtomicTest T1197 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-005.yaml b/analytics/CAR-2021-05-005.yaml index 7df8e149..8918e864 100644 --- a/analytics/CAR-2021-05-005.yaml +++ b/analytics/CAR-2021-05-005.yaml @@ -1,14 +1,15 @@ +--- title: BITSAdmin Download File submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-005 description: The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote @@ -23,51 +24,51 @@ description: The following query identifies Microsoft Background Intelligent Tra malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation. coverage: -- technique: T1197 - tactics: - - TA0005 - - TA0003 - coverage: Moderate -- technique: T1105 - tactics: - - TA0011 - coverage: Moderate + - technique: T1197 + tactics: + - TA0005 + - TA0003 + coverage: Moderate + - technique: T1105 + tactics: + - TA0011 + coverage: Moderate implementations: -- name: Pseudocode – detect BITS transfer jobs - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - bitsadmin_commands = filter processes where ( - exe ="C:\Windows\System32\bitsadmin.exe" AND command_line = *transfer*) - output bitsadmin_commands - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=bitsadmin.exe Processes.process=*transfer* by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id' - type: Splunk - data_model: Endpoint + - name: Pseudocode – detect BITS transfer jobs + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + bitsadmin_commands = filter processes where ( + exe ="C:\Windows\System32\bitsadmin.exe" AND command_line = *transfer*) + output bitsadmin_commands + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=bitsadmin.exe Processes.process=*transfer* by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197) - against a Windows target. - commands: - - Invoke-AtomicTest T1197 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197) + against a Windows target. + commands: + - Invoke-AtomicTest T1197 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-006.yaml b/analytics/CAR-2021-05-006.yaml index 9a9a1404..10ee4f93 100644 --- a/analytics/CAR-2021-05-006.yaml +++ b/analytics/CAR-2021-05-006.yaml @@ -1,14 +1,15 @@ +--- title: CertUtil Download With URLCache and Split Arguments submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-006 description: Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, @@ -18,46 +19,46 @@ description: Certutil.exe may download a file from a remote destination using `- During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. coverage: -- technique: T1105 - tactics: - - TA0011 - coverage: Moderate + - technique: T1105 + tactics: + - TA0011 + coverage: Moderate implementations: -- name: Pseudocode – CertUtil download - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - certutil_downloads = filter processes where ( - exe ="C:\Windows\System32\certutil.exe" AND command_line = *urlcache* AND command_line = *split*) - output certutil_downloads - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=certutil.exe Processes.process=*urlcache* Processes.process=*split* - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id' - type: Splunk - data_model: Endpoint + - name: Pseudocode – CertUtil download + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + certutil_downloads = filter processes where ( + exe ="C:\Windows\System32\certutil.exe" AND command_line = *urlcache* AND command_line = *split*) + output certutil_downloads + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=certutil.exe Processes.process=*urlcache* Processes.process=*split* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105) - against a Windows target. - commands: - - Invoke-AtomicTest T1105 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105) + against a Windows target. + commands: + - Invoke-AtomicTest T1105 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-007.yaml b/analytics/CAR-2021-05-007.yaml index 43b21121..b8e2842d 100644 --- a/analytics/CAR-2021-05-007.yaml +++ b/analytics/CAR-2021-05-007.yaml @@ -1,14 +1,15 @@ +--- title: CertUtil Download With VerifyCtl and Split Arguments submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-007 description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, @@ -18,46 +19,46 @@ description: 'Certutil.exe may download a file from a remote destination using ` the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\`. ' coverage: -- technique: T1105 - tactics: - - TA0011 - coverage: Moderate + - technique: T1105 + tactics: + - TA0011 + coverage: Moderate implementations: -- name: Pseudocode – CertUtil download with VerifyCtl - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - certutil_downloads = filter processes where ( - exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*) - output certutil_downloads - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split* - by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id' - type: Splunk - data_model: Endpoint + - name: Pseudocode – CertUtil download with VerifyCtl + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + certutil_downloads = filter processes where ( + exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*) + output certutil_downloads + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split* + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105) - against a Windows target. - commands: - - Invoke-AtomicTest T1105 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105) + against a Windows target. + commands: + - Invoke-AtomicTest T1105 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-008.yaml b/analytics/CAR-2021-05-008.yaml index a5671c49..d5dcd378 100644 --- a/analytics/CAR-2021-05-008.yaml +++ b/analytics/CAR-2021-05-008.yaml @@ -1,59 +1,59 @@ +--- title: Certutil exe certificate extraction submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-008 description: This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. coverage: -- technique: T1606 - subtechniques: - - T1606.002 - tactics: - - TA0006 - coverage: Moderate + - technique: T1606 + subtechniques: + - T1606.002 + tactics: + - TA0006 + coverage: Moderate implementations: -- name: Pseudocode – CertUtil certificate extraction - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - certutil_downloads = filter processes where ( - exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * ) - output certutil_downloads - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: Splunk implementation - code: '| tstats count min(_time) as firstTime values(Processes.process) as process - max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe - Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name - Processes.process Processes.user' - type: Splunk - data_model: Endpoint + - name: Pseudocode – CertUtil certificate extraction + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + certutil_downloads = filter processes where ( + exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * ) + output certutil_downloads + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: Splunk implementation + code: '| tstats count min(_time) as firstTime values(Processes.process) as process + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe + Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name + Processes.process Processes.user' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002) - against a Windows target. - commands: - - Invoke-AtomicTest T1606.002 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: Execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002) against a Windows target. + commands: + - Invoke-AtomicTest T1606.002 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-009.yaml b/analytics/CAR-2021-05-009.yaml index 76c6177d..3583fae4 100644 --- a/analytics/CAR-2021-05-009.yaml +++ b/analytics/CAR-2021-05-009.yaml @@ -1,14 +1,15 @@ +--- title: CertUtil With Decode Argument submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-009 description: CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` @@ -19,46 +20,46 @@ description: CertUtil.exe may be used to `encode` and `decode` a file, including further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. coverage: -- technique: T1140 - tactics: - - TA0005 - coverage: Moderate + - technique: T1140 + tactics: + - TA0005 + coverage: Moderate implementations: -- name: Pseudocode – CertUtil with Decode Argument - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - certutil_downloads = filter processes where ( - exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* ) - output certutil_downloads - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. - code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id' - type: Splunk - data_model: Endpoint + - name: Pseudocode – CertUtil with Decode Argument + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + certutil_downloads = filter processes where ( + exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* ) + output certutil_downloads + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. + code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1140](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1140) - against a Windows target. - commands: - - Invoke-AtomicTest T1140 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1140](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1140) + against a Windows target. + commands: + - Invoke-AtomicTest T1140 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-010.yaml b/analytics/CAR-2021-05-010.yaml index 285fc5a1..1d743225 100644 --- a/analytics/CAR-2021-05-010.yaml +++ b/analytics/CAR-2021-05-010.yaml @@ -1,63 +1,64 @@ +--- title: Create local admin accounts using net exe submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-010 description: This search looks for the creation of local administrator accounts using net.exe. coverage: -- technique: T1136 - subtechniques: - - T1136.001 - tactics: - - TA0003 - coverage: Moderate + - technique: T1136 + subtechniques: + - T1136.001 + tactics: + - TA0003 + coverage: Moderate implementations: -- name: Pseudocode – CertUtil certificate extraction - description: Pseudocode implementation of the Splunk search below - code: |- - processes = search Process:Create - certutil_downloads = filter processes where ( - (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * ) - output certutil_downloads - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: You must be ingesting data that records process activity from your - hosts to populate the Endpoint data model in the Processes node. You must also - be ingesting logs with both the process name and command line from your endpoints. - The command-line arguments are mapped to the "process" field in the Endpoint data - model. - code: '| tstats count values(Processes.user) as user values(Processes.parent_process) - as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND - (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) - by Processes.process Processes.process_name Processes.dest |`create_local_admin_accounts_using_net_exe_filter`' - type: Splunk - data_model: Endpoint + - name: Pseudocode – CertUtil certificate extraction + description: Pseudocode implementation of the Splunk search below + code: | + processes = search Process:Create + certutil_downloads = filter processes where ( + (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * ) + output certutil_downloads + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: You must be ingesting data that records process activity from your + hosts to populate the Endpoint data model in the Processes node. You must also + be ingesting logs with both the process name and command line from your endpoints. + The command-line arguments are mapped to the "process" field in the Endpoint data + model. + code: '| tstats count values(Processes.user) as user values(Processes.parent_process) + as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND + (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) + by Processes.process Processes.process_name Processes.dest |`create_local_admin_accounts_using_net_exe_filter`' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1136.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136.001) - against a Windows target. - commands: - - Invoke-AtomicTest T1136.001 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1136.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136.001) + against a Windows target. + commands: + - Invoke-AtomicTest T1136.001 data_model_references: -- process/create/exe -- process/create/command_line + - process/create/exe + - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-05-011.yaml b/analytics/CAR-2021-05-011.yaml index 3b2abc44..4d112621 100644 --- a/analytics/CAR-2021-05-011.yaml +++ b/analytics/CAR-2021-05-011.yaml @@ -1,59 +1,60 @@ +--- title: Create Remote Thread into LSASS submission_date: 2021/05/11 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-011 -description: Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials. +description: Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials. coverage: -- technique: T1003 - subtechniques: - - T1003.001 - tactics: - - TA0006 - coverage: Moderate + - technique: T1003 + subtechniques: + - T1003.001 + tactics: + - TA0006 + coverage: Moderate implementations: -- name: Pseudocode – Remote thread creation into LSASS - description: Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target. - code: |- - remote_threads = search Thread:remote_create - lsass_remote_create = filter remote_threads where "lsass" in raw event - output lsass_remote_create - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: This search needs Sysmon Logs with a Sysmon configuration, which includes - EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We - strongly recommend that you specify your environment-specific configurations (index, - source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition - with configurations for your Splunk environment. The search also uses a post-filter - macro designed to filter out known false positives. - code: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime - max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | - rename Computer as dest' - type: Splunk - data_model: '' + - name: Pseudocode – Remote thread creation into LSASS + description: Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target. + code: | + remote_threads = search Thread:remote_create + lsass_remote_create = filter remote_threads where "lsass" in raw event + output lsass_remote_create + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: > + This search needs Sysmon Logs with a Sysmon configuration, which includes + EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We + strongly recommend that you specify your environment-specific configurations (index, + source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + code: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime + max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | + rename Computer as dest' + type: Splunk + data_model: '' unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1003.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003.001) - against a Windows target. - commands: - - Invoke-AtomicTest T1003.001 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: > + Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1003.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003.001) against a Windows target. + commands: + - Invoke-AtomicTest T1003.001 data_model_references: -- thread/remote_create + - thread/remote_create d3fend_mappings: - iri: d3f:SystemCallAnalysis id: D3-SCA diff --git a/analytics/CAR-2021-05-012.yaml b/analytics/CAR-2021-05-012.yaml index c8f9bcfb..c1b099ec 100644 --- a/analytics/CAR-2021-05-012.yaml +++ b/analytics/CAR-2021-05-012.yaml @@ -1,60 +1,61 @@ +--- title: Create Service In Suspicious File Path submission_date: 2021/05/11 update_date: 2021/04/05 information_domain: Analytic platforms: -- Windows + - Windows subtypes: -- Process + - Process analytic_types: -- TTP + - TTP contributors: -- Splunk Threat Research + - Splunk Threat Research id: CAR-2021-05-012 description: This detection is to identify a creation of "user mode service" where the service file path is located in non-common service folder in windows. coverage: -- technique: T1569 - subtechniques: - - T1569.001 - - T1569.002 - tactics: - - TA0002 - coverage: Moderate + - technique: T1569 + subtechniques: + - T1569.001 + - T1569.002 + tactics: + - TA0002 + coverage: Moderate implementations: -- name: Pseudocode – Service in Suspicious File Path - description: Pseudocode implementation of the Splunk search below. - code: |- - services = search Service:create - suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] ) - output suspicious_services - data_model: CAR native - type: Pseudocode -- name: Splunk code - description: To successfully implement this search, you need to be ingesting logs - with the Service name, Service File Name Service Start type, and Service Type - from your endpoints. - code: ' `wineventlog_system` EventCode=7045 Service_File_Name = "*\.exe" NOT (Service_File_Name - IN ("C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*")) - Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time) - as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type' - type: Splunk - data_model: Endpoint + - name: Pseudocode – Service in Suspicious File Path + description: Pseudocode implementation of the Splunk search below. + code: | + services = search Service:create + suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] ) + output suspicious_services + data_model: CAR native + type: Pseudocode + - name: Splunk code + description: To successfully implement this search, you need to be ingesting logs + with the Service name, Service File Name Service Start type, and Service Type + from your endpoints. + code: ' `wineventlog_system` EventCode=7045 Service_File_Name = "*\.exe" NOT (Service_File_Name + IN ("C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*")) + Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time) + as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type' + type: Splunk + data_model: Endpoint unit_tests: -- configurations: - - Using Splunk [Attack Range](https://github.com/splunk/attack_range) - description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log) using - the Splunk attack range with the commands below - commands: - - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] -- configurations: - - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) - description: execute the atomic test [T1569.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1569.001) - against a Windows target. - commands: - - Invoke-AtomicTest T1569.001 + - configurations: + - Using Splunk [Attack Range](https://github.com/splunk/attack_range) + description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log) using + the Splunk attack range with the commands below + commands: + - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP] + - configurations: + - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam) + description: execute the atomic test [T1569.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1569.001) + against a Windows target. + commands: + - Invoke-AtomicTest T1569.001 data_model_references: -- service/create/image_path + - service/create/image_path d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA diff --git a/analytics/CAR-2021-11-001.yaml b/analytics/CAR-2021-11-001.yaml index ad67773a..a06daa7a 100644 --- a/analytics/CAR-2021-11-001.yaml +++ b/analytics/CAR-2021-11-001.yaml @@ -1,3 +1,4 @@ +--- title: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 submission_date: 2021/11/24 information_domain: Host @@ -28,7 +29,7 @@ coverage: implementations: - name: Creation of SafeDllSearchMode description: This detects SafeDllSearchMode creation, either via a new process (command line) or direct registry manipulation. - code: |- + code: | processes = search Process:create safe_dll_search_processes = filter processes where command_line CONTAINS("*SafeDllSearchMode*") AND ((command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*")) OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS(*-value*)) OR ((command_line CONTAINS("*00000000*") AND command_line CONTAINS(*0*))) reg_keys = search Registry:value_edit @@ -38,33 +39,33 @@ implementations: type: Pseudocode - name: Splunk Search - Creation of SafeDllSearchMode description: This is a Splunk representation of the above pseudocode. - code: |- + code: | (source="WinEventLog:*" ((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) (CommandLine="*00000000*" OR CommandLine="*0*") CommandLine="*SafeDllSearchMode*") OR ((EventCode="4657") ObjectValueName="SafeDllSearchMode" value="0")) OR ((EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)"))) data_model: Win. Eventlog/Sysmon native type: Splunk - name: Elastic Search - Creation of SafeDllSearchMode description: This is an Elastic representation of the above pseudocode. - code: |- + code: | (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:(*00000000* OR *0*) AND process.command_line:*SafeDllSearchMode*) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:"SafeDllSearchMode" AND value:"0")) OR (EventCode:"13" AND winlog.event_data.EventType:"SetValue" AND winlog.event_data.TargetObject:*SafeDllSearchMode AND winlog.event_data.Details:"DWORD\ \(0x00000000\)")) data_model: Win. Eventlog/Sysmon native type: Elastic - name: LogPoint Search - Creation of SafeDllSearchMode description: This is a LogPoint representation of the above pseudocode. - code: |- + code: | (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine IN ["*00000000*", "*0*"] CommandLine="*SafeDllSearchMode*") OR (EventCode IN "4657" ObjectValueName="SafeDllSearchMode" value="0")) OR (EventCode IN "13" EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")) data_model: Win. Eventlog/Sysmon native type: LogPoint unit_tests: - description: Execute command with cmd commands: - - reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0 + - reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0 - description: Execute command with powershell commands: - - Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0 + - Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0 data_model_references: - process/create/command_line - registry/add/key d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA - label: Process Spawn Analysis \ No newline at end of file + label: Process Spawn Analysis diff --git a/analytics/CAR-2021-11-002.yaml b/analytics/CAR-2021-11-002.yaml index e3f63718..543d9480 100644 --- a/analytics/CAR-2021-11-002.yaml +++ b/analytics/CAR-2021-11-002.yaml @@ -1,3 +1,4 @@ +--- title: Registry Edit with Modification of Userinit, Shell or Notify submission_date: 2021/11/28 information_domain: Host @@ -11,7 +12,7 @@ analytic_types: contributors: - Lucas Heiligenstein id: CAR-2021-11-002 -description: |- +description: | Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload. coverage: - technique: T1547 @@ -28,7 +29,7 @@ coverage: implementations: - name: Userinit/Shell/Notify Registry Modifications description: This detects logon registry key modification, either via a new process (command line) or direct registry manipulation. - code: |- + code: | processes = search Process:create logon_reg_processes = filter processes where command_line CONTAINS("*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*") AND (command_line CONTAINS("*Userinit*") OR command_line CONTAINS("*Shell*") OR command_line CONTAINS("*Notify*")) AND (((command_line CONTAINS("*reg*") OR command_line CONTAINS("*add*") OR command_line CONTAINS("*/d*")) OR (command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*-value*")))) reg_keys = search Registry:value_edit @@ -38,26 +39,26 @@ implementations: type: Pseudocode - name: Splunk Search - Modification of Userinit, Shell or Notify description: This is a Splunk representation of the above pseudocode. - code: |- + code: | (((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR ((CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*") CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" (CommandLine="*Userinit*" OR CommandLine="*Shell*" OR CommandLine="*Notify*")) OR ((EventCode="4657") (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify"))) OR ((EventCode="13") (TargetObject="*Userinit" OR TargetObject="*Shell" OR TargetObject="*Notify")))) type: Splunk - name: Elastic Search - Modification of Userinit, Shell or Notify description: This is an ElasticSearch representation of the above pseudocode. - code: |- + code: | (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:(*Set\-ItemProperty* OR *New\-ItemProperty*) AND process.command_line:*\-value*)) AND process.command_line:*\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon* AND process.command_line:(*Userinit* OR *Shell* OR *Notify*)) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:("Userinit" OR "Shell" OR "Notify"))) OR (EventCode:"13" AND winlog.event_data.TargetObject:(*Userinit OR *Shell OR *Notify))) type: Elastic - name: LogPoint Search - Modification of Userinit, Shell or Notify description: This is a LogPoint representation of the above pseudocode. - code: |- + code: | (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine IN ["*Set-ItemProperty*", "*New-ItemProperty*"] CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" CommandLine IN ["*Userinit*", "*Shell*", "*Notify*"]) OR (EventCode IN "4657" ObjectValueName IN ["Userinit", "Shell", "Notify"])) OR (EventCode IN "13" TargetObject IN ["*Userinit", "*Shell", "*Notify"])) type: LogPoint unit_tests: -- description: Modification on Registry Key with cmd. Calc.exe will be launched when user will login - commands: - - reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe -- description: Modification on Registry Key with Powershell. Calc.exe will be launched when user will login - commands: - - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit -Value C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe + - description: Modification on Registry Key with cmd. Calc.exe will be launched when user will login + commands: + - reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe + - description: Modification on Registry Key with Powershell. Calc.exe will be launched when user will login + commands: + - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit -Value C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe data_model_references: - process/create/command_line - registry/add/key diff --git a/analytics/CAR-2021-12-001.yaml b/analytics/CAR-2021-12-001.yaml index 6713cb71..56a9d317 100644 --- a/analytics/CAR-2021-12-001.yaml +++ b/analytics/CAR-2021-12-001.yaml @@ -1,3 +1,4 @@ +--- title: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths submission_date: 2021/12/04 information_domain: Host @@ -23,7 +24,7 @@ coverage: implementations: - name: Creation of Suspicious Scheduled Tasks description: This detects the creation of suspicious scheduled tasks, either via a new process (command line) or direct through the corresponding Windows EIDs. - code: |- + code: | processes = search Process:create susp_tasks_processes = filter processes where command_line CONTAINS("*SCHTASKS*") AND (command_line CONTAINS("*/CREATE*") OR command_line CONTAINS("*/CHANGE*")) AND (command_line CONTAINS("*.cmd*") OR command_line CONTAINS("*.ps1*") OR command_line CONTAINS("*.vbs*") OR command_line CONTAINS("*.py*") OR command_line CONTAINS("*.js*") OR command_line CONTAINS("*.exe*") OR command_line CONTAINS("*.bat*") OR (command_line CONTAINS("*javascript*") OR command_line CONTAINS("*powershell*") OR command_line CONTAINS("*wmic*") OR command_line CONTAINS("*rundll32*") OR command_line CONTAINS("*cmd*") OR command_line CONTAINS("*cscript*") OR command_line CONTAINS("*wscript*") OR command_line CONTAINS("*regsvr32*") OR command_line CONTAINS("*mshta*") OR command_line CONTAINS("*bitsadmin*") OR command_line CONTAINS("*certutil*") OR command_line CONTAINS("*msiexec*") OR command_line CONTAINS("*javaw*") OR (command_line CONTAINS("*%APPDATA%*") OR command_line CONTAINS("*\\AppData\\Roaming*") OR command_line CONTAINS("*%PUBLIC%*") OR command_line CONTAINS("*C:\\Users\\Public*") OR command_line CONTAINS("*%ProgramData%*") OR command_line CONTAINS("*C:\\ProgramData*") OR command_line CONTAINS("*%TEMP%*") OR command_line CONTAINS("*\\AppData\\Local\\Temp*") OR command_line CONTAINS("*\\Windows\\PLA\\System*") OR command_line CONTAINS("*\\tasks*") OR command_line CONTAINS("*\\Registration\\CRMLog*") OR command_line CONTAINS("*\\FxsTmp*") OR command_line CONTAINS("*\\spool\\drivers\\color*") OR command_line CONTAINS("*\\tracing*")))) tasks = search Task:create @@ -33,29 +34,29 @@ implementations: type: Pseudocode - name: Splunk Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path. description: This is a Splunk representation of the above pseudocode search. - code: |- + code: | (((EventCode="4688" OR EventCode="1") CommandLine="*SCHTASKS*" (CommandLine="*/CREATE*" OR CommandLine="*/CHANGE*")) ((CommandLine="*.cmd*" OR CommandLine="*.ps1*" OR CommandLine="*.vbs*" OR CommandLine="*.py*" OR CommandLine="*.js*" OR CommandLine="*.exe*" OR CommandLine="*.bat*") OR (CommandLine="*javascript*" OR CommandLine="*powershell*" OR CommandLine="*wmic*" OR CommandLine="*rundll32*" OR CommandLine="*cmd*" OR CommandLine="*cscript*" OR CommandLine="*wscript*" OR CommandLine="*regsvr32*" OR CommandLine="*mshta*" OR CommandLine="*bitsadmin*" OR CommandLine="*certutil*" OR CommandLine="*msiexec*" OR CommandLine="*javaw*") OR (CommandLine="*%APPDATA%*" OR CommandLine="*\\AppData\\Roaming*" OR CommandLine="*%PUBLIC%*" OR CommandLine="*C:\\Users\\Public*" OR CommandLine="*%ProgramData%*" OR CommandLine="*C:\\ProgramData*" OR CommandLine="*%TEMP%*" OR CommandLine="*\\AppData\\Local\\Temp*" OR CommandLine="*\\Windows\\PLA\\System*" OR CommandLine="*\\tasks*" OR CommandLine="*\\Registration\\CRMLog*" OR CommandLine="*\\FxsTmp*" OR CommandLine="*\\spool\\drivers\\color*" OR CommandLine="*\\tracing*"))) OR ((EventCode="4698" OR EventCode="4702") ((TaskContent="*.cmd*" OR TaskContent="*.ps1*" OR TaskContent="*.vbs*" OR TaskContent="*.py*" OR TaskContent="*.js*" OR TaskContent="*.exe*" OR TaskContent="*.bat*") OR (TaskContent="*javascript*" OR TaskContent="*powershell*" OR TaskContent="*wmic*" OR TaskContent="*rundll32*" OR TaskContent="*cmd*" OR TaskContent="*cscript*" OR TaskContent="*wscript*" OR TaskContent="*regsvr32*" OR TaskContent="*mshta*" OR TaskContent="*bitsadmin*" OR TaskContent="*certutil*" OR TaskContent="*msiexec*" OR TaskContent="*javaw*") OR (TaskContent="*%APPDATA%*" OR TaskContent="*\\AppData\\Roaming*" OR TaskContent="*%PUBLIC%*" OR TaskContent="*C:\\Users\\Public*" OR TaskContent="*%ProgramData%*" OR TaskContent="*C:\\ProgramData*" OR TaskContent="*%TEMP%*" OR TaskContent="*\\AppData\\Local\\Temp*" OR TaskContent="*\\Windows\\PLA\\System*" OR TaskContent="*\\tasks*" OR TaskContent="*\\Registration\\CRMLog*" OR TaskContent="*\\FxsTmp*" OR TaskContent="*\\spool\\drivers\\color*" OR TaskContent="*\\tracing*"))) type: Splunk - name: Elastic Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path. description: This is an ElasticSearch representation of the above pseudocode search. - code: |- + code: | ((winlog.event_id:("4688" OR "1") AND process.command_line:*SCHTASKS* AND process.command_line:(*\/CREATE* OR *\/CHANGE*)) AND (process.command_line:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR process.command_line:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR process.command_line:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*))) OR (winlog.event_id:("4698" OR "4702") AND (winlog.event_data.TaskContent:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR winlog.event_data.TaskContent:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR winlog.event_data.TaskContent:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*))) type: Elastic - name: LogPoint Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path. description: This is a LogPoint representation of the above pseudocode search. - code: |- + code: | ((event_id IN ["4688", "1"] CommandLine="*SCHTASKS*" CommandLine IN ["*/CREATE*", "*/CHANGE*"]) (CommandLine IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR CommandLine IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR CommandLine IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"])) OR (event_id IN ["4698", "4702"] (TaskContent IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR TaskContent IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR TaskContent IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"])) type: LogPoint unit_tests: -- description: Creation Scheduled Task with cmd. Calc.exe will be launched every minute - commands: - - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "CALC_TASK" /TR "C:\Windows\System32\calc.exe" -- description: Creation Scheduled Task with cmd. Ping will be launched every minute - commands: - - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "PING_TASK" /TR "cmd /c ping 8.8.8.8" + - description: Creation Scheduled Task with cmd. Calc.exe will be launched every minute + commands: + - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "CALC_TASK" /TR "C:\Windows\System32\calc.exe" + - description: Creation Scheduled Task with cmd. Ping will be launched every minute + commands: + - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "PING_TASK" /TR "cmd /c ping 8.8.8.8" data_model_references: - process/create/command_line d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA - label: Process Spawn Analysis \ No newline at end of file + label: Process Spawn Analysis diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml index 372f942e..64197ced 100644 --- a/analytics/CAR-2021-12-002.yaml +++ b/analytics/CAR-2021-12-002.yaml @@ -1,3 +1,4 @@ +--- title: Modification of Default Startup Folder in the Registry Key 'Common Startup' submission_date: 2021/12/06 information_domain: Host @@ -11,7 +12,7 @@ analytic_types: contributors: - Lucas Heiligenstein id: CAR-2021-12-002 -description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. +description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. coverage: - technique: T1547 tactics: @@ -27,7 +28,7 @@ coverage: implementations: - name: Common Startup Registry Key Modification description: This detects modification of the `Common Startup` registry key value, either via a new process (command line) or direct registry manipulation. - code: |- + code: | processes = search Process:create logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*") OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS("*-value*")) AND command_line CONTAINS("*Common Startup*")) reg_keys = search Registry:value_edit @@ -37,30 +38,30 @@ implementations: type: Pseudocode - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a Splunk representation of the above pseudocode search. - code: |- + code: | (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup"))) type: Splunk - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is an ElasticSeearech representation of the above pseudocode search. - code: |- + code: | ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup")) type: Elastic - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup" description: This is a LogPoint representation of the above pseudocode search. - code: |- + code: | ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup")) type: LogPoint unit_tests: -- description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon - commands: - - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f -- description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon - commands: - - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder + - description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon + commands: + - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f + - description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon + commands: + - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder data_model_references: - process/create/command_line - registry/add/key d3fend_mappings: - iri: d3f:ProcessSpawnAnalysis id: D3-PSA - label: Process Spawn Analysis \ No newline at end of file + label: Process Spawn Analysis diff --git a/analytics/CAR-2022-03-001.yaml b/analytics/CAR-2022-03-001.yaml index 00003160..752d5b13 100644 --- a/analytics/CAR-2022-03-001.yaml +++ b/analytics/CAR-2022-03-001.yaml @@ -1,4 +1,3 @@ - --- title: Disable Windows Event Logging submission_date: 2022/03/14 @@ -12,7 +11,7 @@ analytic_types: contributors: - Lucas Heiligenstein id: CAR-2022-03-001 -description: |- +description: | Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. There are different ways to perform this attack. 1. The first one is to create the Registry Key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt`. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise). 2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start`, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. @@ -22,53 +21,52 @@ description: |- coverage: - technique: T1562 subtechniques: - - T1562.002 + - T1562.002 tactics: - - TA0005 + - TA0005 coverage: Moderate implementations: - name: Detection of Disable Windows Event Logging description: This detects the disabling of Windows Event Logging, via process command line or registry key value manipulation. - code: |- + code: | processes = search Process:create susp_processes = filter processes where ((command_line CONTAINS("*New-Item*") OR command_line CONTAINS("*reg add*")) OR command_line CONTAINS("*MiniNt*")) OR (command_line CONTAINS("*Stop-Service*")AND command_line CONTAINS("*EventLog*")) OR (command_line CONTAINS("*EventLog*") AND (command_line CONTAINS("*Set-Service*") OR command_line CONTAINS("*reg add*") OR command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*sc config*"))) OR (command_line CONTAINS("*auditpol*") AND (command_line CONTAINS("*/set*") OR command_line CONTAINS("*/clear*") OR command_line CONTAINS("*/revove*"))) OR ((command_line CONTAINS("*wevtutil*") AND (command_line CONTAINS("*sl*") OR command_line CONTAINS("*set-log*")))) - reg_keys = search Registry:value_edit event_log_reg_keys = filter reg_keys where Key="*EventLog*" AND (value="Start" OR value="File" OR value="MaxSize") output susp_processes, event_log_reg_keys type: Pseudocode - name: Detection of Disable Windows Event Logging description: Splunk version of the CAR pseudocode. - code: |- + code: | ((EventCode="4688" OR EventCode="1") ((CommandLine="*New-Item*" OR CommandLine="*reg add*") CommandLine="*MiniNt*")OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")OR (CommandLine="*EventLog*" (CommandLine="*Set-Service*" OR CommandLine="*reg add*" OR CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*" OR CommandLine="*sc config*")) OR (CommandLine="*auditpol*" (CommandLine="*/set*" OR CommandLine="*/clear*" OR CommandLine="*/revove*")) OR ((CommandLine="*wevtutil*" (CommandLine="*sl*" OR CommandLine="*set-log*")))) OR (EventCode="4719") OR ((EventCode="4657" OR EventCode="13") (ObjectName="*EventLog*") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize")) type: Splunk - name: Detection of Disable Windows Event Logging description: LogPoint version of the CAR pseudocode. - code: |- + code: | ((((((EventCode IN ["4688", "1"] CommandLine="*New-Item*" CommandLine="*reg add*" CommandLine IN "*MiniNt*") OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")) OR (CommandLine IN ["*Set-Service*", "*reg add*", "*Set-ItemProperty*", "*New-ItemProperty*", "*sc config*"] CommandLine IN "*EventLog*")) OR (CommandLine IN "*auditpol*" CommandLine IN ["*/set*", "*/clear*", "*/revove*"])) OR (CommandLine IN "*wevtutil*" CommandLine IN ["*sl*", "*set-log*"]) OR EventCode IN "4719") OR (EventCode IN ["4657", "13"] ObjectName IN "*EventLog*" ObjectValueName IN ["Start", "File", "MaxSize"])) type: LogPoint unit_tests: -- description: MiniNt Registry Key creation with cmd. - commands: - - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt" -- description: MiniNt Registry Key creation with powershell. - commands: - - New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\MiniNt" -- description: Disable EvenLog Service with Set-Service. - commands: - - Set-Service -Name EventLog -StartupType Disabled -- description: Registry Key modification to disable EventLog Service. - commands: - - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" /v start /t REG_DWORD /d 0x00000004 /f -- description: Stop EventLog Service with Stop-Service. - commands: - - Stop-Service -Name EventLog -Force -- description: Audit configuration modification to disable EventLog with auditpol. - commands: - - auditpol.exe /set /subcategory:"Process Creation" /success:Disable /failure:Disable -- description: Modification of Security EventLog path with wevtutil. - commands: - - wevtutil.exe sl Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx" + - description: MiniNt Registry Key creation with cmd. + commands: + - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt" + - description: MiniNt Registry Key creation with powershell. + commands: + - New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\MiniNt" + - description: Disable EvenLog Service with Set-Service. + commands: + - Set-Service -Name EventLog -StartupType Disabled + - description: Registry Key modification to disable EventLog Service. + commands: + - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" /v start /t REG_DWORD /d 0x00000004 /f + - description: Stop EventLog Service with Stop-Service. + commands: + - Stop-Service -Name EventLog -Force + - description: Audit configuration modification to disable EventLog with auditpol. + commands: + - auditpol.exe /set /subcategory:"Process Creation" /success:Disable /failure:Disable + - description: Modification of Security EventLog path with wevtutil. + commands: + - wevtutil.exe sl Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx" data_model_references: - registry/value_edit/value - process/create/command_line diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml index bf6fcbb1..130efe0e 100644 --- a/data_model/authentication.yaml +++ b/data_model/authentication.yaml @@ -12,7 +12,7 @@ fields: - name: app_name description: Name of the application that made the authentication request example: ssh, win:local - - name: method + - name: method description: The authentication method that was used. example: SMAL, Kerberos - name: auth_service @@ -66,4 +66,3 @@ fields: - name: target_user description: Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user. example: HOST1\LOCALUSER2 - diff --git a/data_model/driver.yaml b/data_model/driver.yaml index e111f703..c76cb4f1 100644 --- a/data_model/driver.yaml +++ b/data_model/driver.yaml @@ -39,4 +39,4 @@ fields: example: 1533 - name: signature_valid description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked - example: True \ No newline at end of file + example: true diff --git a/data_model/email.yaml b/data_model/email.yaml index 70a1a0f8..4deb4539 100644 --- a/data_model/email.yaml +++ b/data_model/email.yaml @@ -16,7 +16,7 @@ fields: - name: action_reason description: The rationale given for blocking, redirecting, or quarantining an email. example: "Malformed Message" - - name: attachment_name + - name: attachment_name description: Filename of any email attachment that may exist. example: "cuddly-cats.pdf" - name: attachment_size @@ -75,20 +75,3 @@ fields: - name: to description: the content of the To field in the email header; does not necessarily match up with real recipients. example: "adam@example.com" - - - - - - - - - - - - - - - - - diff --git a/data_model/file.yaml b/data_model/file.yaml index 72c5df33..80b292db 100755 --- a/data_model/file.yaml +++ b/data_model/file.yaml @@ -90,7 +90,7 @@ fields: example: 0644 (linux) or NTFS ACL - name: signature_valid description: Boolean indicator of whether the signature is valid; empty if file is not signed. - example: True + example: true - name: uid description: The user ID or SID for the acting entity. example: S-1-5-18 diff --git a/data_model/flow.yaml b/data_model/flow.yaml index 6095ae51..30f6f2c2 100644 --- a/data_model/flow.yaml +++ b/data_model/flow.yaml @@ -89,4 +89,4 @@ fields: example: TCP - name: uid description: User ID or SID of the flow-handling entity. - example: S-1-5-18 \ No newline at end of file + example: S-1-5-18 diff --git a/data_model/http.yaml b/data_model/http.yaml index 044f9429..c2499a66 100644 --- a/data_model/http.yaml +++ b/data_model/http.yaml @@ -14,7 +14,7 @@ fields: - name: hostname description: hostname on which the request was seen. example: HOST1 - - name: request_body_bytes + - name: request_body_bytes description: Integer value corresponding to the total number of bytes in the request. example: 180 - name: http_version @@ -60,21 +60,3 @@ fields: - name: user_agent_version description: User Agent Version. Note that some User Agent strings may not label versions in the same way. example: 4.0 - - - - - - - - - - - - - - - - - - diff --git a/data_model/module.yaml b/data_model/module.yaml index 01bc2b58..733fdc44 100644 --- a/data_model/module.yaml +++ b/data_model/module.yaml @@ -1,6 +1,6 @@ --- -name: Library -description: Libraries correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a shared library or module (DLLs in Windows) and their dependencies. +name: Module +description: Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies. actions: - name: load description: A module load event occurs when a PE image (dll or exe) is loaded into a process. @@ -45,4 +45,4 @@ fields: example: 50 - name: signature_valid description: Boolean indicator of whether the signature is current and not revoked - example: True \ No newline at end of file + example: true diff --git a/data_model/process.yaml b/data_model/process.yaml index 725f63d8..90279c51 100644 --- a/data_model/process.yaml +++ b/data_model/process.yaml @@ -79,7 +79,7 @@ fields: example: "{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}" - name: signature_valid description: Boolean indicator of whether signature is current and not revoked. - example: True + example: true - name: target_guid description: Global Unique Identifier for the target process (only for process access events). - name: target_pid diff --git a/data_model/service.yaml b/data_model/service.yaml index c47159fc..61081c26 100644 --- a/data_model/service.yaml +++ b/data_model/service.yaml @@ -42,4 +42,4 @@ fields: example: 1860 - name: uid description: The ID of SID of the user who acted on the service - example: S-1-5-18 \ No newline at end of file + example: S-1-5-18 diff --git a/data_model/socket.yaml b/data_model/socket.yaml index ed3c9f1d..c5e3b3e9 100644 --- a/data_model/socket.yaml +++ b/data_model/socket.yaml @@ -12,12 +12,12 @@ fields: - name: pid description: ID of the process that acted on the socket example: 3930 - - name: image_path + - name: image_path description: Path to the executable that initiated the socket event. example: C:/user/adam/malware.exe - name: success description: Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested) - example: True + example: true - name: family description: The type of socket in question example: AF_UNIX, AF_INET, AF_INET6 @@ -39,20 +39,3 @@ fields: - name: local_path description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets. example: "/tmp/foo" - - - - - - - - - - - - - - - - - diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml index 11c4c3fa..d268ec57 100755 --- a/data_model/user_session.yaml +++ b/data_model/user_session.yaml @@ -1,5 +1,5 @@ --- -name: User Sesssion +name: User Session description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions. actions: - name: lock @@ -42,5 +42,4 @@ fields: example: S-1-5-18 - name: login_successful description: Boolean indicator of whether a login attempt was successful - example: False - + example: false diff --git a/scripts/analytic_schema.yaml b/scripts/analytic_schema.yaml new file mode 100644 index 00000000..fa31a0e3 --- /dev/null +++ b/scripts/analytic_schema.yaml @@ -0,0 +1,43 @@ +--- +title: str() +submission_date: regex('\d{4}/\d{2}/\d{2}', name='year/month/day') +update_date: regex('\d{4}/\d{2}/\d{2}', name='year/month/day', required=False) +information_domain: str() +platforms: list(str(), required=False) +subtypes: list(str()) +analytic_types: list(str()) +contributors: list(str(), required=False) +id: str() +description: str() +coverage: list(include('coverage_item'), required=False) +implementations: list(include('implementation'), required=False) +unit_tests: list(include('unit_test'), required=False) +true_positives: list(include('true_positive'), required=False) +data_model_references: list(str(), required=False) +references: list(str(), required=False) +d3fend_mappings: list(include('d3fend_mapping'), required=False) +--- +coverage_item: + technique: str() + subtechniques: list(str(), required=False) + tactics: list(str()) + coverage: str() +implementation: + name: str(required=False) + description: str(required=False) + code: str(required=False) + data_model: str(required=False) + type: str() +unit_test: + configurations: list(str(), required=False) + description: subset(str()) + commands: list(str(), required=False) +true_positive: + source: str() + description: str(required=False) + event_snippet: str(required=False) + full_event: str(required=False) +d3fend_mapping: + iri: str() + id: str() + label: str() diff --git a/scripts/datamodel_schema.yaml b/scripts/datamodel_schema.yaml new file mode 100644 index 00000000..bf9c1aa7 --- /dev/null +++ b/scripts/datamodel_schema.yaml @@ -0,0 +1,13 @@ +--- +name: str() +description: str() +actions: list(include('action')) +fields: list(include('field')) +--- +action: + name: str() + description: str() +field: + name: str() + description: str() + example: subset(any(), allow_empty=True) diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 37e19029..4e7bb9ed 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -17,3 +17,5 @@ six==1.15.0 termcolor==1.1.0 tzlocal==2.1 urllib3==1.26.5 +yamale==4.0.4 +yamllint==1.29.0 diff --git a/scripts/sensor_schema.yaml b/scripts/sensor_schema.yaml new file mode 100644 index 00000000..16463b85 --- /dev/null +++ b/scripts/sensor_schema.yaml @@ -0,0 +1,19 @@ +--- +sensor_name: str() +sensor_version: any(str(), num()) +sensor_developer: str() +sensor_url: str() # consider using a regex to validate that it is actually a url +sensor_description: str(required=False) +data_model_coverage: str(required=False) +analytic_coverage: list(include('analytic'), required=False) +mappings: list(include('mapping')) +other_coverage: list(str()) +--- +analytic: + full_title: str() + id: str() +mapping: + object: str() + action: str() + notes: str() + fields: list(str()) diff --git a/sensors/autoruns_13.98.yaml b/sensors/autoruns_13.98.yaml index ac356f9d..e839766c 100644 --- a/sensors/autoruns_13.98.yaml +++ b/sensors/autoruns_13.98.yaml @@ -93,4 +93,4 @@ mappings: - name - value other_coverage: - - 'CAR-2013-01-002: Autorun Differences' + - 'CAR-2013-01-002: Autorun Differences' diff --git a/sensors/osquery_4.1.2.yaml b/sensors/osquery_4.1.2.yaml index e09d5845..eb6a5566 100755 --- a/sensors/osquery_4.1.2.yaml +++ b/sensors/osquery_4.1.2.yaml @@ -133,4 +133,4 @@ mappings: - value - data other_coverage: - - 'N/A' \ No newline at end of file + - 'N/A' diff --git a/sensors/sysmon_10.4.yaml b/sensors/sysmon_10.4.yaml index 2b0a7189..93cdad7b 100755 --- a/sensors/sysmon_10.4.yaml +++ b/sensors/sysmon_10.4.yaml @@ -127,4 +127,4 @@ mappings: - start_address - start_module other_coverage: - - 'CAR-2019-04-004: Credential Dumping via Mimikatz' + - 'CAR-2019-04-004: Credential Dumping via Mimikatz' diff --git a/sensors/sysmon_11.0.yaml b/sensors/sysmon_11.0.yaml index 592f3cf9..a4ac2c16 100755 --- a/sensors/sysmon_11.0.yaml +++ b/sensors/sysmon_11.0.yaml @@ -141,4 +141,4 @@ mappings: - start_address - start_module other_coverage: - - 'CAR-2019-04-004: Credential Dumping via Mimikatz' + - 'CAR-2019-04-004: Credential Dumping via Mimikatz' diff --git a/sensors/sysmon_13.yaml b/sensors/sysmon_13.yaml index 5c8d5619..c4cf7f21 100644 --- a/sensors/sysmon_13.yaml +++ b/sensors/sysmon_13.yaml @@ -161,4 +161,4 @@ mappings: - start_module - uid other_coverage: - - 'CAR-2019-04-004: Credential Dumping via Mimikatz' + - 'CAR-2019-04-004: Credential Dumping via Mimikatz'